Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 19062200BE3 for ; Thu, 22 Dec 2016 17:03:18 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 17A6B160B26; Thu, 22 Dec 2016 16:03:18 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 3D92B160B1B for ; Thu, 22 Dec 2016 17:03:17 +0100 (CET) Received: (qmail 11357 invoked by uid 500); 22 Dec 2016 16:03:15 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 11346 invoked by uid 99); 22 Dec 2016 16:03:15 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 Dec 2016 16:03:15 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 4C9071A03F7 for ; Thu, 22 Dec 2016 16:03:15 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.482 X-Spam-Level: ** X-Spam-Status: No, score=2.482 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=2, HTML_OBFUSCATE_05_10=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id R_cGA-YESZXy for ; Thu, 22 Dec 2016 16:03:13 +0000 (UTC) Received: from mail-lf0-f42.google.com (mail-lf0-f42.google.com [209.85.215.42]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 5107C5F1B3 for ; Thu, 22 Dec 2016 16:03:12 +0000 (UTC) Received: by mail-lf0-f42.google.com with SMTP id t196so121883513lff.3 for ; Thu, 22 Dec 2016 08:03:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=eLTuS7tXQ03DwqaMqhgkuWPvEKwiq6m71Pm3HCzeY/w=; b=uwJ2xrPLwSMdFpo+ECCIdspdLDcuCTFWM8lLTezVehK1Du3mcOfTXxsci5kYvDI2RU 32Y8+5rewTTRaWJ9eTRpvitkUMMSZVYzvLLxU6g7q7TkZ6i1gNHLgBZ2DU+lpN7+YmHD H5GUXjcdjyJyP4eG8wl+ncj/SJivmgJcIQMTR3FiMtYXFHqt6D3sF0ci7DeDGggjCG/V XoWFB+IGT25NCrxS6ee6y3U9g2KAzRfUs8v1abX/CeCpdXXohNZBUVScadn+uGy7ojJ/ kIJcMbWuVPVb7r2MchoDvFg4QKTTBsSsOouVErPEnPhezo+WWDdtdBcjD/msLsHjgYy1 KTTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to; bh=eLTuS7tXQ03DwqaMqhgkuWPvEKwiq6m71Pm3HCzeY/w=; b=Ni8x8Ndb1oRGQdt4somQiXiSI/TJ6EidX5fHsPSHN6hsYA+MUZvJSPP3Nn+DQnbFXl Mi0sBmR5weMyGvQtyZSoUc3OpuDf5Vol9kw50V1DTSrk5774AGKiJBWNNJxNFSZdps5C bqU/iTnk6VPlb4SzATdcxPjOXXTxVgGCKM5UY4zFmWjNpv/cNpRSWl/NrtUQYuXoDBUC PbQR1ytoptW5m1FZ6NmtZrCMH3f/6tT1gOpRt6CHSe/0EH6CZ1cNa0WE0Gxy/4jMUZ74 FGa/8M6DExxPACZ5LQAzXCmKEtbVh5tvabhWMRLkFwSj0vebQ5NBdA0a1JINxbDE73Yh gn6w== X-Gm-Message-State: AIkVDXJ0cM83WUUrD0w9XXm42/vMmyrtp64DZ0keHximM8FnHuXw5/Q8q+aScN3Ck9tpJavtu++S6f5JO+cySw== X-Received: by 10.25.190.86 with SMTP id o83mr4209110lff.109.1482422586247; Thu, 22 Dec 2016 08:03:06 -0800 (PST) MIME-Version: 1.0 Sender: p.c.wallis@gmail.com Received: by 10.25.145.91 with HTTP; Thu, 22 Dec 2016 08:03:05 -0800 (PST) In-Reply-To: <01ed805c-e6a5-8af0-1151-65885707fd1f@christopherschultz.net> References: <6924c73d-336d-26dd-f4a5-48a3b951854b@christopherschultz.net> <01ed805c-e6a5-8af0-1151-65885707fd1f@christopherschultz.net> From: Peter Wallis Date: Thu, 22 Dec 2016 16:03:05 +0000 X-Google-Sender-Auth: z4FlAfFVPPBUWhf96kha3ATJrV0 Message-ID: Subject: Re: New to SSL - debugging tomcat To: Tomcat Users List Content-Type: multipart/alternative; boundary=94eb2c1954eea90f6c0544416769 archived-at: Thu, 22 Dec 2016 16:03:18 -0000 --94eb2c1954eea90f6c0544416769 Content-Type: text/plain; charset=UTF-8 Hi Christopher, re 443 on *nix; yes, set AUTHBIND='yes' in /etc/defaults/tomcat8 re openssl s_client -connect on a different machine; it times out Did have a thought -- one that might not be obvious to you experts -- I am serving that page via No-IP dynamic dns. Their support people are "cagey" about whether this works or not (they don't answer the question and suggest I buy an upgraded service) I believe people who know what they are doing just run their own dns using unbound? If that makes no sense, please ignore; I don't know what I'm talking about but it seems we are looking for something I've done that is weird. P On 22 December 2016 at 15:38, Christopher Schultz < chris@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Peter, > > On 12/22/16 2:43 AM, Peter Wallis wrote: > > Hi Christopher, so it seems I have done something exceptional :-) > > Thanks for taking a look... > > > > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > > keystoreFile="/home/peter/.keystore" alias="tomcat" > > keystorePass="changeit" clientAuth="false" sslProtocol="TLS" /> > > This looks fine except for one thing: you are using port 443 on a *NIX > system which requires you to either run as root (bad) or make other > arrangements. Have you made such arrangements? > > > Keystore type: JKS Keystore provider: SUN > > > > Your keystore contains 2 entries > > > > Alias name: gandi Creation date: 21-Dec-2016 Entry type: > > trustedCertEntry > > Okay, that's your CA. > > > Alias name: tomcat Creation date: 21-Dec-2016 Entry type: > > trustedCertEntry > > Okay, that's presumably your server's cert. > > > Owner: CN=alexa.proseco.co.uk, OU=Gandi Standard SSL, OU=Domain > > Control Validated > > If that's your site name (alexa.proseco.co.uk) this looks good. > > What happens if you do this from the outside (e.g. not on the pi itself) > : > > $ openssl s_client -connect alexa.proseco.co.uk:443 > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJYW/NwAAoJEBzwKT+lPKRYbf0P/3LawCFJivA7997fbYvFCw5h > A9p1aWXNYMzRiaGcltoYk+fZVtTQ0Ve5mBtSDV8nN+mulEt2mPD6nxbvhjw1H24z > pononiduIpv30QduqlXQeczUtdptjNMzsDP+zg1HdnEF45xSmQl/egn3/QCBqMIH > hYNmxgxJpipDlruv5sNhM/0BRF2jvmG3mqByX/ayguCP7eC16nXMzYriVMauUj+L > QVZHlitdeLu8ZcHMxKz0B60gho64Hivlf/HlEiEINtyq5jYgN16dLNRzuMlZ34cd > UAdOtT28eA4hIfK4KQZrpO/iSNn4gaKV7wBH8FswvgqJdLBT/ucKuzWOmfMY0cBx > vLtBK6y1XFasfkGOkWoS8I2ViomygUgWDTIsFSmikaMgqJg2joxatLx50rT6oXyo > KM4y074J8CSwxP+/UiwugRGCfiDfRHDZErEWXTpQmcsHrrSwJWlqCk6l/gUscB/X > XM3XLKFK+8JUXnsYHYe9lylrrfHKUm8SgNVkQsBF7b7RHtKh1kWJjD2/xMFb3C0P > FuZnNdFc22MEaDnisp5ofqDAYNTDvJLkVn+2ererNmeWdrRq8Cf7/X4QrLeTlMh/ > 7GcRGq0C9/2ZRc+1pyFhjfef6MwZ1wceqiquBZYokdyoPHdQ82VAyPg1ffVRfskl > 1TsRsxA+hHeIkgCE161B > =yhHl > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > --94eb2c1954eea90f6c0544416769--