We have an active, working 4.19 environment and I'm currently building out a new 4.52 environment to eventually replace it.  So far so good - initial installs went fine, validation went fine, and I'm on to the more advanced setup steps now, with SAML IDP next on the list.   Ran into an odd issue though after enabling TLS for the Edge UI.  I created a signed jks keystore just fine and all of that appears to be working, I updated the ui.properties & management-server.properties for the new URL, new keystore name, and obfuscated password.   Ran /opt/apigee/apigee-service/bin/apigee-service edge-ui configure-ssl and went through those steps, setting port 9000 as the UI HTTPS port.  The backend management server HTTPS port is 8080 (I know, probably should use 8443 or 9443 to avoid confusion, but keeping it similar to our old environment for FW rules - setting the HTTP port to 8888 per config below).  ALL of that looks okay to me.  After restarting it all, I can get to the login screen but it fails to log in.  When I look at the /opt/apigee/var/log/edge-ui/application.log I see this:

2023-06-30 12:50:11,127 [ERROR] from play.core.server.netty.PlayDefaultUpstreamHandler in application-akka.actor.default-dispatcher-8 - Cannot invoke the action
java.net.ConnectException: Connection refused: apigee-mgmt-nonprod.firsthorizon.com/172.30.67.92:443
at com.ning.http.client.providers.netty.request.NettyConnectListener.onFutureFailure(NettyConnectListener.java:133) ~[com.ning.async-http-client-1.9.40.jar:na]
at com.ning.http.client.providers.netty.request.NettyConnectListener.operationComplete(NettyConnectListener.java:145) ~[com.ning.async-http-client-1.9.40.jar:na]
at org.jboss.netty.channel.DefaultChannelFuture.notifyListener(DefaultChannelFuture.java:409) ~[io.netty.netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.DefaultChannelFuture.notifyListeners(DefaultChannelFuture.java:400) ~[io.netty.netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.DefaultChannelFuture.setFailure(DefaultChannelFuture.java:362) ~[io.netty.netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.socket.nio.NioClientBoss.processSelectedKeys(NioClientBoss.java:109) ~[io.netty.netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.socket.nio.NioClientBoss.process(NioClientBoss.java:79) ~[io.netty.netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) ~[io.netty.netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.socket.nio.NioClientBoss.run(NioClientBoss.java:42) ~[io.netty.netty-3.10.6.Final.jar:na]
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) ~[io.netty.netty-3.10.6.Final.jar:na]
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) ~[io.netty.netty-3.10.6.Final.jar:na]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[na:1.8.0_372]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[na:1.8.0_372]
at java.lang.Thread.run(Thread.java:750) ~[na:1.8.0_372]
Caused by: java.net.ConnectException: Connection refused: apigee-mgmt-nonprod.firsthorizon.com/172.30.67.92:443
at sun.nio.ch.SocketChannelImpl.checkConnect(Native Method) ~[na:1.8.0_372]
at sun.nio.ch.SocketChannelImpl.finishConnect(SocketChannelImpl.java:716) ~[na:1.8.0_372]
at org.jboss.netty.channel.socket.nio.NioClientBoss.connect(NioClientBoss.java:152) ~[io.netty.netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.socket.nio.NioClientBoss.processSelectedKeys(NioClientBoss.java:105) ~[io.netty.netty-3.10.6.Final.jar:na]
... 8 common frames omitted

That DNS name is correct, apigee-mgmt-nonprod.firsthorizon.com and the IP address is correct, that's what it resolves to.  I'm unsure though if it is actually trying to form a URL using both (which wouldn't work) or if it is simply showing the DNS name specified in the config files and the IP it resolves to.  Regardless port 443 is not in use, netstat -an | grep 443 shows that and I never configured anything on the management server to use 443, so I'm not sure where it is getting this from.  I've tried looking at some of the base config files but haven't found anything that isn't 8080 or 9000.  Any suggestions? 

The ui.properties used contains:

conf_application_session.secure=true
conf_apigee_apigee.mgmt.baseurl="https://apigee-mgmt-nonprod.firsthorizon.com/8080/v1"
#conf/application.conf+play.ws.ssl.loose.acceptAnyCertificate=true
#conf_logger_settings_application_log_level=DEBUG
#conf_logger_settings_play_log_level=DEBUG

management-server.properties contains:

conf_webserver_ssl.enabled=true
conf_webserver_http.turn.off=true
conf_webserver_ssl.port=8080
#conf_webserver_ssl.port=8443
conf_webserver_keystore.path=/opt/apigee/customer/application/apigee-mgmt.jks
conf_webserver_keystore.password=OBF:Removed
conf_webserver_cert.alias=
conf_webserver_include.cipher.suites=TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS
_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
conf_webserver_http.port=8888
#conf_webserver_http.port=8080

First post here, but won't be the last, so any help appreciated.  Thanks!