》> If, however, I do curl https://foo.bar.net from my Mac, I get a > response, but if I do curl https://localhost, it doesn't get > anywhere.
This may be relevant. In the video mentioned earlier in the thread the let's encrypt expert says let's encrypt doesn't work on localhost but it only works on actual domain. He goes on to say you should purchase one "it is not very expensive ". On Mon, 6 Jan 2020, 14:57 Christopher Schultz, <ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > James, > > On 1/3/20 13:47, James H. H. Lampert wrote: > > On 1/3/20 9:57 AM, Christopher Schultz wrote: > >> Is perhaps the AWS firewall (which is a Load Balancer, right?) > >> redirecting the port? > >> > >> Easy test (from the server): > >> > >> $ telnet localhost 443 > > > > I hadn't thought of that. But alas, that instance doesn't have > > Telnet on it. > > > >> If it connects, you have something on the host making this work. > >> If it fails to connect, the 443 -> 8443 magic is outside the host > >> itself. > > > > If, however, I do curl https://foo.bar.net from my Mac, I get a > > response, but if I do curl https://localhost, it doesn't get > > anywhere. > > So your instance is indeed listening on 8443 and the host (at least on > the loopback interface) isn't doing any port 443 funny-business. > > >> Note that if you are using AWS load-balancer, AWS provides free > >> certificates that auto-renew; just configure them and you are > >> done forever. > > > >> Let me know about the Load-Balancer. That's probably the piece of > >> the puzzle you aren't looking at quite yet. > > > > No; we *have* load-balanced clusters, and they *are* (as of last > > month) on AWS's certificate system, so I know what that looks like. > > This is completely different; when I connect, I see the certificate > > that is currently active on the Tomcat server (and if I plug a > > different cert into Tomcat, I see the change from my browser). > > There are also load-balancers that just move bytes and don't terminate > TLS. It's also possible to have the same certificate installed in > multiple places. I think you are going to have to look around your > network a little more to figure out what's happening. > > Maybe simply try: > > $ host foo.bar.net > > And check the IP versus the IP of the Tomcat node? > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4TSsMACgkQHPApP6U8 > pFgvHw//fBItKsqFiCNeA5lLwo6hi6tZaZY6BxC24SQfMPFe4TaQKkvl/ziGdvpc > E7afIiahzkksZ5Afeq08xx5yE16XVWNDfXy005x5TjosK9tq+msYQU0RUXiHolPo > iTNMfVAi7vHx4OYciJzDzV34vb8pF4Xl4AlMj/ESh38BUPsZWQtcpzmMi9Nf9+/q > grQonVVKHBIydBSbygpiHBGcPesJX0kRUtpArVIWJZdw+V+lKApeo32Xw1Y+Dm0q > 1knwGFzHYGdxROCCpez8dq83ABI5l4tmVMPYpTZsTxBrebZxXxy2GUfrRHTH8UaC > E1ew1jHhYwyPWIUQjEAWynKqVZ8OFcBlRN3DwFvNCGMyd5c9vyE50qfRwzYqeQMk > tEnNafRgWGdsiw0El79m6Xl3LVOd9psSYTgvobqICPk27YhPbpk7izR5td2stvxu > wnmfgxBJd9lL/ckwkvQfKgsdQSnCx8ULJgNUWyCv/gKrhBuBK1gkRrHj3MbJM5Cf > A7fquztvXVZdTnAuEBLvAhKdmIYX6k7W/TnX1kvJcBQ0AN1WhcbmnxQhcww2bn5s > LB2VA91XKg8BaNItodEx03EsUEpbjIvxmnBoCbTgYxcVaKs76qxzP9DENZmGNV/b > JTSEo7xAyGnRQ42l4pm1Lxj/8kAZLrZ5VfNK2DBmmDTeZ8eCUAI= > =372g > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
