-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Peter,
On 12/21/16 4:22 AM, Peter Wallis wrote: > Hi all, I have tomcat 8.0.39 running on a raspberry pi (easy) and > thought I'd try setting it up to provide "skills" for the Amazon > Echo Alexa service. This requires a url which "presents" either a > signed certificate, or a self-signed certificate. > > Using fiirefox to check, I believe I got it presenting a > self-signed certificate but, as I have bought a domain name with a > free certificate, I thought I get that running before moving on to > delivering skills. Sounds good. > A month later (this is not my day job) I'm still stuck. sslchecker > is the most informative and says no certificates were found. It > does say "Server Type: Apache-Coyote 1.1" Okay, so you can make a connection: that's good :) > No messages on catalina.out; occasionally a message on > xxx_access_log saying "HEAD / HTTP/1.1" 200 -" openssl verify just > hangs; and Firefox says secure connection failed. Okay, so we have a place to start. First of all, "openssl verify" isn't what you want to use to connect. Instead, you want "openssl s_client". Can you post your <Connector> configuration? > The problem might be an issue with the CA; it might be my keystore; > it might be my tomcat settings. I don't think it is the latter > because the self signed certificate seemed to work. I don't think > it is the CA or keystore because I can a) verify the certificate > chain with openssl and the keystore tells me I have the > certificates I think I have. What matters is what the server (Tomcat) is presenting to the client, not what's actually in the keystore (though usually they are very closely related). > I have googled for getting tomcat to give some debug information > but what I've found so far has no effect. Can someone point me to > the official how-to debug ssl issues on tomcat? There isn't really an official "Tomcat" TLS debugging how-to, because they are all pretty much the same. Most of the confusion occurs in one specific place: key/cert management (key, csr, cert, chain, etc.) because if you don't understand it, it's easy to get lost. Along with posting your <Connector> configuration, can you post the output of this command: $ keytool -list -verbose -keystore [keystorename] - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYWvFWAAoJEBzwKT+lPKRYqdsQAKZxQQz1PF5VH88y1IDRLq2+ qegBtNOF+oTTzueeWveFnUS13stvYBpxNC0jU8GHt1jsbSs13hlxUby7trstAhev nmQCvd31g+8i7VQOKpUSAyCBHJBrZn9FAhcJDrVdZZP7SInCp4KzmyNnUUEAIgQs hsqm3LaquabergPUwidXMlBD7P6mZ+74GorGoX06J6/ivaP6RRrxG1OVDeYzH/mZ ai8x9Q/UOtaFJOrb7tK6JJRNQaiSb7Pryozrdu/81Gi9pDALToden1LWlqa1nvHF xBpbM1lTEs0W24gACZtaGv2IJsNoFgJ76/S9nLH5NOMDZBNPnpfhoAQrOUH9YHIt hme4kltU69saE10hkvqrsvVQ5XplXwD4F3q8XnE2JHYv0bTl8cg7fL3yvtPPXUCC pIe1QioEAu+nKVrpV7KvPfYGhAsxJ2kVcho/bv+sANEWyMEqqfRR/zCnOU5Ge7OE e7OrQylXVcXQazfV0Hxd62CYCKW0lhx8Vm60q9sr4QcsYr21QRKr6NUWvC8PQTci XEpyKYEJ4E8CMxpaOqGl9khpQzkCnSxhRPg1nrlsWc/dDML8BnEuwF3xAR4pObP3 BRrMEhldoN/px/TPqTTnNxh9qr2A2Y+K3x/Ptg1VxGXiwFbEcTYVSh5rKaoASsLz o3RRxtRPiC1NrAlTK2Bc =AKTz -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org