Mac Sierra Server Not Responding on Port

Hey Reid,

Nothing pertinent in system.log.

Very helpful idea about using Telnet.

OK, on the server itself if I type telnet localhost 9443, I get:

Trying ::1...

Connected to localhost

Escape character is '^]'

(Doesn't work remotely.)

----

Tomcat itself starts fine, though with the unreachable port 9443 as noted below, I can't access it.

On the server in Safari: https://mysite.com:9443 gives me a "Safari can't open the page mysite.com:9443 because Safari can't establish a secure connection to the server 'mysite.com'".

Remotely, however, trying to connect to the server (https://mysite.com:9443) just times out (should bring up the main Tomcat window).

----

I have ports 9443 open and port 8009 in Mac Server (Airport Extreme).

Below is the only addition I made to Tomcat's server.xml

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->

<Connector

protocol="org.apache.coyote.http11.Http11NioProtocol"

port="8443" maxThreads="200"

scheme="https" secure="true" SSLEnabled="true"

keystoreFile="/path_to_keystore_directory/keystore.jks" keystorePass="thePassword"

keystoreType="JKS"

clientAuth="false" sslProtocol="TLS"/>

--

My keystore file has a single entry (I created the CSR separately) - just the trusted certificate, but Tomcat isn't throwing any errors about it.

I'm a bit stumped at the moment.

If the keystore file is supposed to have more, well, "keys", in it, I'm wondering if that could give me the symptoms I'm seeing or would I just get some kind of "insecure connection" message?

--

Would appreciate any ideas.

Thanks very much for your kind reply. 🙂

Strontium90 wrote:

Wait a sec. In your example you note that you are trying to connect to port 9443 but your Tomcat code says 8443. 8443 is a port used by Apple's Server.app so you might be getting a conflict there. Although, the odd issue is that the telnet attempt revealed that port 9443 is listening.

Also, another suggestion. OS X Server generally wants to be set up with a fully qualified host name (host.domain.tld). In your example, you show only domain.ltd (mysite.com). Let's make sure that DNS is working as expected. If you are behind the Airport as a router, then you will need to support split horizon DNS.

On the Server, try:

nslookup mysite.com

Do you get the private IP address of the server? If not, what happens if you try https://localhost:9443 or https://<your_server's_IPaddress>:9443?

And oh, Tomcat keystone files. There is not many things that bring me so much pain. Let's assume it is created properly and lets focus on the ports and DNS.

Reid

Oops, sorry, typo in message. It should have been 9443.

nslookup mysite.com -> I get the local server private IP address (10.0.1.25).

I re-did the (eyes bleeding process) keystore.jks - doing the CSR from there instead of separately - and re-issued the certificate. Good news. On the server itself, localhost:9443 correctly brings up Tomcat with the Comodo certificate shown (though I have to allow the site name mismatch).

If I use, again on the server, mysite.com:9443, that works perfectly now using the correct certificate.

Connecting remotely still hangs.

Gotta be a port that's not open or something.

If I comment out the 9443 settings in server.xml that now works OK on the server, then I can connect remotely on HTTP port 8080.

How do you debug situations like this?

I do have the excellent Charles reverse proxy program, but it doesn't seem like the request is making it to the server on port 9443 at all so I'm not sure it will help/work. Nothing is logged.

Let me know what else to look at.

Appreciate your knowledgeable replies.

Thanks,

Hey Reid,

Whatdoyaknow...it works!

The remote connectivity problem turned out to by my VPN. Once I disabled that, it was all good.

--

Don't know if you know anything about this other error, but using the same keystore using the "JavaSpark" web services framework, I still get this error:

$curl -k https://mysite.com:4567/secureHello

curl: (35) Unknown SSL protocol error in connection to mysite.com:-9847

secureHello is a simple GET function I wrote for testing:

get("/secureHello", (req, res) ->

{

secure("/path-to-keystore-directory/keystore.jks", "thePassword", "", "");

return "\nSecure Hello.\n\n" ;

});

This is a left-over issue that had nothing to do with Tomcat or port 9443. The JavaSpark framework is light weight and super simple to use (a GET function can really be one line of code). However, support is nearly non-existent.

Now that I know the certificate is right and I know the keystore is right, I'm in a good position to go forward.

I'm also assuming when I renew my certificate next year, I basically "start over". Perhaps I can still keep the private key I created the first time to generate the first CSR (that's in keystore.jks), but I'd generate a new CSR from that key and re-do, re-pay, etc..

Thanks so very much. You're amazing....again! 🙂

- m