> Did I? I don't recall recommending purchasing a certificate Purchase a domain name not certificate.
On Mon, 6 Jan 2020, 16:45 Christopher Schultz, <ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Zahid, > > On 1/6/20 10:08, Zahid Rahman wrote: > > 》> If, however, I do curl https://foo.bar.net from my Mac, I get a > >> response, but if I do curl https://localhost, it doesn't get > >> anywhere. > > > > This may be relevant. In the video mentioned earlier in the thread > > the let's encrypt expert says let's encrypt doesn't work on > > localhost but it only works on actual domain. > > Correct. You cannot obtain a certificate from Let's Encrypt for > "localhost"; it's got to be something Let's Encrypt can resolve and > contact from their infrastructure. For that reason, LE doesn't work > very well for internal networks. > > > He goes on to say you should purchase one "it is not very expensive > > ". > > Did I? I don't recall recommending purchasing a certificate during a > presentation on zero-cost certificates. > > I'd never bother paying for a certificate for an internal network. > Just self-sign and establish your own trust. The purpose of LE is for > environments where you need *public* trust, not private trust. Private > trust is easy to establish: you get to decide all by yourself! :) > > - -chris > > > On Mon, 6 Jan 2020, 14:57 Christopher Schultz, > > <ch...@christopherschultz.net> wrote: > > > > James, > > > > On 1/3/20 13:47, James H. H. Lampert wrote: > >>>> On 1/3/20 9:57 AM, Christopher Schultz wrote: > >>>>> Is perhaps the AWS firewall (which is a Load Balancer, > >>>>> right?) redirecting the port? > >>>>> > >>>>> Easy test (from the server): > >>>>> > >>>>> $ telnet localhost 443 > >>>> > >>>> I hadn't thought of that. But alas, that instance doesn't > >>>> have Telnet on it. > >>>> > >>>>> If it connects, you have something on the host making this > >>>>> work. If it fails to connect, the 443 -> 8443 magic is > >>>>> outside the host itself. > >>>> > >>>> If, however, I do curl https://foo.bar.net from my Mac, I get > >>>> a response, but if I do curl https://localhost, it doesn't > >>>> get anywhere. > > > > So your instance is indeed listening on 8443 and the host (at least > > on the loopback interface) isn't doing any port 443 > > funny-business. > > > >>>>> Note that if you are using AWS load-balancer, AWS provides > >>>>> free certificates that auto-renew; just configure them and > >>>>> you are done forever. > >>>> > >>>>> Let me know about the Load-Balancer. That's probably the > >>>>> piece of the puzzle you aren't looking at quite yet. > >>>> > >>>> No; we *have* load-balanced clusters, and they *are* (as of > >>>> last month) on AWS's certificate system, so I know what that > >>>> looks like. This is completely different; when I connect, I > >>>> see the certificate that is currently active on the Tomcat > >>>> server (and if I plug a different cert into Tomcat, I see the > >>>> change from my browser). > > > > There are also load-balancers that just move bytes and don't > > terminate TLS. It's also possible to have the same certificate > > installed in multiple places. I think you are going to have to look > > around your network a little more to figure out what's happening. > > > > Maybe simply try: > > > > $ host foo.bar.net > > > > And check the IP versus the IP of the Tomcat node? > > > > -chris > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4TZB0ACgkQHPApP6U8 > pFib/A//TRP6v+GXvkDw7DXMcP3EzQSCEZ6yzdKoL4cblDLwW1Upe5TWVtEvHdiG > IoqKesMwIUQQQDlv2Z3x6N5iCe9G5cTyFsz0JlSPZxGiHNGF1viwVrH/fGSsDLbp > V2Q9HDdmp6zApl12+8HI1akCxHTPfySKg3j9NjEJlpbEA8w+Gzok+5UbjI3LzQgK > c2iCN2Uj2mLoH135jMrdBbmYOb3rD0oEiiZY/fNch5C9bVGI5hiP7APTz8EEsjiq > ei7eL4X0B/p+q6lgDSmvylD42TrTnpfESpiSitSZoFtM03alFdRm4OySzXuXK8za > tYtAIha+VQs1i3y7LdRB6mIsl5xsU1NtrqGDl9lSg5ciFjuLpIQNRFDI3kqa8KwA > FgiYOLsQZASK4bjoULQCAlcK55TBCALnbjL8PGu55YAPXO895hkeFtWokDciX+8B > RRMqRyY2OWOoUNDZKan9icEk93vArKPU4JoVGJyvH0HCFTk+HL2B9F5s2PYvc3WO > g+iVQdXBlDi4ngYsY0TXWC4GKBPgKVBuylJbAwbyBumpLYExIiYANn9ldtxtK9mr > ukdlo5fvvlGclVgfL9CygsHiGgz6+aeo/n+3VkOSBsfxRHbYuw0JERicRnVImt2r > O5ulCHoN4LwdRqhAc4BxzrnTsdrqKeyv2Qn3ANhJbpz7qNImI5o= > =kBdi > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
