-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Zahid,
On 1/6/20 10:08, Zahid Rahman wrote: > 》> If, however, I do curl https://foo.bar.net from my Mac, I get a >> response, but if I do curl https://localhost, it doesn't get >> anywhere. > > This may be relevant. In the video mentioned earlier in the thread > the let's encrypt expert says let's encrypt doesn't work on > localhost but it only works on actual domain. Correct. You cannot obtain a certificate from Let's Encrypt for "localhost"; it's got to be something Let's Encrypt can resolve and contact from their infrastructure. For that reason, LE doesn't work very well for internal networks. > He goes on to say you should purchase one "it is not very expensive > ". Did I? I don't recall recommending purchasing a certificate during a presentation on zero-cost certificates. I'd never bother paying for a certificate for an internal network. Just self-sign and establish your own trust. The purpose of LE is for environments where you need *public* trust, not private trust. Private trust is easy to establish: you get to decide all by yourself! :) - -chris > On Mon, 6 Jan 2020, 14:57 Christopher Schultz, > <ch...@christopherschultz.net> wrote: > > James, > > On 1/3/20 13:47, James H. H. Lampert wrote: >>>> On 1/3/20 9:57 AM, Christopher Schultz wrote: >>>>> Is perhaps the AWS firewall (which is a Load Balancer, >>>>> right?) redirecting the port? >>>>> >>>>> Easy test (from the server): >>>>> >>>>> $ telnet localhost 443 >>>> >>>> I hadn't thought of that. But alas, that instance doesn't >>>> have Telnet on it. >>>> >>>>> If it connects, you have something on the host making this >>>>> work. If it fails to connect, the 443 -> 8443 magic is >>>>> outside the host itself. >>>> >>>> If, however, I do curl https://foo.bar.net from my Mac, I get >>>> a response, but if I do curl https://localhost, it doesn't >>>> get anywhere. > > So your instance is indeed listening on 8443 and the host (at least > on the loopback interface) isn't doing any port 443 > funny-business. > >>>>> Note that if you are using AWS load-balancer, AWS provides >>>>> free certificates that auto-renew; just configure them and >>>>> you are done forever. >>>> >>>>> Let me know about the Load-Balancer. That's probably the >>>>> piece of the puzzle you aren't looking at quite yet. >>>> >>>> No; we *have* load-balanced clusters, and they *are* (as of >>>> last month) on AWS's certificate system, so I know what that >>>> looks like. This is completely different; when I connect, I >>>> see the certificate that is currently active on the Tomcat >>>> server (and if I plug a different cert into Tomcat, I see the >>>> change from my browser). > > There are also load-balancers that just move bytes and don't > terminate TLS. It's also possible to have the same certificate > installed in multiple places. I think you are going to have to look > around your network a little more to figure out what's happening. > > Maybe simply try: > > $ host foo.bar.net > > And check the IP versus the IP of the Tomcat node? > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4TZB0ACgkQHPApP6U8 pFib/A//TRP6v+GXvkDw7DXMcP3EzQSCEZ6yzdKoL4cblDLwW1Upe5TWVtEvHdiG IoqKesMwIUQQQDlv2Z3x6N5iCe9G5cTyFsz0JlSPZxGiHNGF1viwVrH/fGSsDLbp V2Q9HDdmp6zApl12+8HI1akCxHTPfySKg3j9NjEJlpbEA8w+Gzok+5UbjI3LzQgK c2iCN2Uj2mLoH135jMrdBbmYOb3rD0oEiiZY/fNch5C9bVGI5hiP7APTz8EEsjiq ei7eL4X0B/p+q6lgDSmvylD42TrTnpfESpiSitSZoFtM03alFdRm4OySzXuXK8za tYtAIha+VQs1i3y7LdRB6mIsl5xsU1NtrqGDl9lSg5ciFjuLpIQNRFDI3kqa8KwA FgiYOLsQZASK4bjoULQCAlcK55TBCALnbjL8PGu55YAPXO895hkeFtWokDciX+8B RRMqRyY2OWOoUNDZKan9icEk93vArKPU4JoVGJyvH0HCFTk+HL2B9F5s2PYvc3WO g+iVQdXBlDi4ngYsY0TXWC4GKBPgKVBuylJbAwbyBumpLYExIiYANn9ldtxtK9mr ukdlo5fvvlGclVgfL9CygsHiGgz6+aeo/n+3VkOSBsfxRHbYuw0JERicRnVImt2r O5ulCHoN4LwdRqhAc4BxzrnTsdrqKeyv2Qn3ANhJbpz7qNImI5o= =kBdi -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
