tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: New to SSL - debugging tomcat
Date Thu, 22 Dec 2016 16:27:15 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Peter,

On 12/22/16 11:03 AM, Peter Wallis wrote:
> Hi Christopher, re 443 on *nix; yes, set AUTHBIND='yes' in
> /etc/defaults/tomcat8

Okay. Are you sure you've got that configured properly? Try changing
port 443 to 8443 in server.xml and bouncing Tomcat. Let's try to solve
one problem at a time.

> re openssl s_client -connect on a different machine; it times out
> 
> Did have a thought -- one that might not be obvious to you experts
> -- I am serving that page via No-IP dynamic dns.  Their support
> people are "cagey" about whether this works or not (they don't
> answer the question and suggest I buy an upgraded service)  I
> believe people who know what they are doing just run their own dns
> using unbound?  If that makes no sense, please ignore; I don't know
> what I'm talking about but it seems we are looking for something
> I've done that is weird.

Let's try this: what's the actual IP address of your pi? 192.168.0.10
or somesuch?

Change your port from 443 -> 8443 and then try this:

$ openssl s_client -connect 192.168.0.10:8443

If that connects and shows the cert, then your TLS configuration is
correct. It will complain about the hostname (IP address) not matching
the cert's CN, but that's okay).

Since you have lots of moving parts, let's find out what's working
first and then fix whatever problems remain.

- -chris

> On 22 December 2016 at 15:38, Christopher Schultz < 
> chris@christopherschultz.net> wrote:
> 
> Peter,
> 
> On 12/22/16 2:43 AM, Peter Wallis wrote:
>>>> Hi Christopher, so it seems I have done something exceptional
>>>> :-) Thanks for taking a look...
>>>> 
>>>> <Connector port="443" 
>>>> protocol="org.apache.coyote.http11.Http11NioProtocol" 
>>>> maxThreads="150" SSLEnabled="true" scheme="https"
>>>> secure="true" keystoreFile="/home/peter/.keystore"
>>>> alias="tomcat" keystorePass="changeit" clientAuth="false"
>>>> sslProtocol="TLS" />
> 
> This looks fine except for one thing: you are using port 443 on a
> *NIX system which requires you to either run as root (bad) or make
> other arrangements. Have you made such arrangements?
> 
>>>> Keystore type: JKS Keystore provider: SUN
>>>> 
>>>> Your keystore contains 2 entries
>>>> 
>>>> Alias name: gandi Creation date: 21-Dec-2016 Entry type: 
>>>> trustedCertEntry
> 
> Okay, that's your CA.
> 
>>>> Alias name: tomcat Creation date: 21-Dec-2016 Entry type: 
>>>> trustedCertEntry
> 
> Okay, that's presumably your server's cert.
> 
>>>> Owner: CN=alexa.proseco.co.uk, OU=Gandi Standard SSL,
>>>> OU=Domain Control Validated
> 
> If that's your site name (alexa.proseco.co.uk) this looks good.
> 
> What happens if you do this from the outside (e.g. not on the pi
> itself) :
> 
> $ openssl s_client -connect alexa.proseco.co.uk:443
> 
> -chris
>> 
>> ---------------------------------------------------------------------
>>
>> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYW/7iAAoJEBzwKT+lPKRYrG8P/RvLPGw1Xs9nckpTnrDWO8DA
1Df5CIEign1cbPTiO1MsMqUG0ZttsntWBCDO9dXUZ4COgjjQlj0svMQkhMqYFAeS
GplutOm2ogcSlmh0asmmQlhcca3KYf4JCxe6I2MAO7jvgzaqP5YQBkP8yXK+RRtP
hkhvqRfBJxChNtZ9L40HoFqUputXe+8aGTSoIUXVmi66xzj3sdn7SHJ3ktVE2ewp
1q9paiMZeR21l+NsgAdqm+aZO02DMvhgDXHCcmD/CHdcNETO0VplZk2x97QKJcSn
dXny45c+uuGQxMIEcfokMWDVl0WqYQjBUaWdh7TvX45Ovbp5QZVlVDh2dinWEFVV
2wsGrODf22BFccvEvrZhVdT4G1efkpiHn2F4z0TO0DCjnYnvmMLJ7RRAjxKlDU9c
xdi124ByqoBgF42iS5BN1tlM9pzfefsHlqf0kR/zNxcqtEwLejm3/B/2CKTm2Lvw
EM0CBzYrz5WOybcYdlpCwHM9KEZBnO3Vh3NX0sdWc7OMFmmaofySuQEpnpQWP71z
AMGCRdvPDNV1r4WP0gu8R4piOMWf2I234mi89g4Z2ebJ8Ymi+jk7dKTrl6BO/l+Y
NkKPjURv7pk1pXm2qGkB7sQDaTTKQLvBu86c9QCzrXP1zN727JTTrVFUfu0BIHfG
/kMLCZzFz938B9ZwBlER
=GA0t
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message