Hi Christopher,
so it seems I have done something exceptional :-) Thanks for taking a
look...
<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https"
secure="true"
keystoreFile="/home/peter/.keystore" alias="tomcat"
keystorePass="changeit"
clientAuth="false" sslProtocol="TLS" />
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: gandi
Creation date: 21-Dec-2016
Entry type: trustedCertEntry
Owner: CN=Gandi Standard SSL CA 2, O=Gandi, L=Paris, ST=Paris, C=FR
Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network,
L=Jersey City, ST=New Jersey, C=US
Serial number: 5e4dc3b9438ab3b8597cba6a19850e3
Valid from: Fri Sep 12 00:00:00 UTC 2014 until: Wed Sep 11 23:59:59 UTC 2024
Certificate fingerprints:
MD5: 1A:9A:69:A8:1F:6D:A9:2D:87:F7:69:4E:16:D8:B8:79
SHA1: 24:71:06:A4:05:B2:88:A4:6E:70:A0:26:27:17:16:2D:09:03:E7:34
SHA256:
B9:F2:16:43:23:63:8D:CE:0B:92:21:8B:43:C4:1C:1B:2B:26:96:38:93:29:DB:19:F5:CF:7A:D4:9B:5C:B3:72
Signature algorithm name: SHA384withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName:
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
,
accessMethod: ocsp
accessLocation: URIName: http://ocsp.usertrust.com
]
]
#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 53 79 BF 5A AA 2B 4A CF 54 80 E1 D8 9B C0 9D F2 Sy.Z.+J.T.......
0010: B2 03 66 CB ..f.
]
]
#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName:
http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl]
]]
#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.26]
[] ]
[CertificatePolicyId: [2.23.140.1.2.1]
[] ]
]
#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B3 90 A7 D8 C9 AF 4E CD 61 3C 9F 7C AD 5D 7F 41 ......N.a<...].A
0010: FD 69 30 EA .i0.
]
]
*******************************************
*******************************************
Alias name: tomcat
Creation date: 21-Dec-2016
Entry type: trustedCertEntry
Owner: CN=alexa.proseco.co.uk, OU=Gandi Standard SSL, OU=Domain Control
Validated
Issuer: CN=Gandi Standard SSL CA 2, O=Gandi, L=Paris, ST=Paris, C=FR
Serial number: 722e058c0d81e1089658a9934163c58a
Valid from: Fri Dec 16 00:00:00 UTC 2016 until: Sat Dec 16 23:59:59 UTC 2017
Certificate fingerprints:
MD5: CA:36:D1:ED:4E:EC:69:91:D8:92:75:71:86:01:A9:6E
SHA1: F3:08:57:19:0E:2C:58:2A:55:B7:71:E3:00:30:D4:84:3F:BA:98:E7
SHA256:
AE:7C:12:C5:C0:20:04:A0:A8:77:AF:E8:67:86:0F:83:30:25:D8:83:C5:A7:88:8F:6A:F4:46:B3:0D:ED:BE:6A
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://crt.usertrust.com/GandiStandardSSLCA2.crt
,
accessMethod: ocsp
accessLocation: URIName: http://ocsp.usertrust.com
]
]
#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: B3 90 A7 D8 C9 AF 4E CD 61 3C 9F 7C AD 5D 7F 41 ......N.a<...].A
0010: FD 69 30 EA .i0.
]
]
#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.usertrust.com/GandiStandardSSLCA2.crl]
]]
#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.26]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 19 68 74 74 70 73 3A 2F 2F 63 70 73 2E 75 73 ..
https://cps.us
0010: 65 72 74 72 75 73 74 2E 63 6F 6D ertrust.com
]] ]
[CertificatePolicyId: [2.23.140.1.2.1]
[] ]
]
#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: alexa.proseco.co.uk
DNSName: www.alexa.proseco.co.uk
]
#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: BF 52 0C 03 DD 23 55 BA 3F EB DD F3 C5 56 FE A0 .R...#U.?....V..
0010: 3B 0F F1 E8 ;...
]
]
*******************************************
*******************************************
On 21 December 2016 at 21:17, Christopher Schultz <
[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Peter,
>
> On 12/21/16 4:22 AM, Peter Wallis wrote:
> > Hi all, I have tomcat 8.0.39 running on a raspberry pi (easy) and
> > thought I'd try setting it up to provide "skills" for the Amazon
> > Echo Alexa service. This requires a url which "presents" either a
> > signed certificate, or a self-signed certificate.
> >
> > Using fiirefox to check, I believe I got it presenting a
> > self-signed certificate but, as I have bought a domain name with a
> > free certificate, I thought I get that running before moving on to
> > delivering skills.
>
> Sounds good.
>
> > A month later (this is not my day job) I'm still stuck. sslchecker
> > is the most informative and says no certificates were found. It
> > does say "Server Type: Apache-Coyote 1.1"
>
> Okay, so you can make a connection: that's good :)
>
> > No messages on catalina.out; occasionally a message on
> > xxx_access_log saying "HEAD / HTTP/1.1" 200 -" openssl verify just
> > hangs; and Firefox says secure connection failed.
>
> Okay, so we have a place to start. First of all, "openssl verify"
> isn't what you want to use to connect. Instead, you want "openssl
> s_client".
>
> Can you post your <Connector> configuration?
>
> > The problem might be an issue with the CA; it might be my keystore;
> > it might be my tomcat settings. I don't think it is the latter
> > because the self signed certificate seemed to work. I don't think
> > it is the CA or keystore because I can a) verify the certificate
> > chain with openssl and the keystore tells me I have the
> > certificates I think I have.
>
> What matters is what the server (Tomcat) is presenting to the client,
> not what's actually in the keystore (though usually they are very
> closely related).
>
> > I have googled for getting tomcat to give some debug information
> > but what I've found so far has no effect. Can someone point me to
> > the official how-to debug ssl issues on tomcat?
>
> There isn't really an official "Tomcat" TLS debugging how-to, because
> they are all pretty much the same. Most of the confusion occurs in one
> specific place: key/cert management (key, csr, cert, chain, etc.)
> because if you don't understand it, it's easy to get lost.
>
> Along with posting your <Connector> configuration, can you post the
> output of this command:
>
> $ keytool -list -verbose -keystore [keystorename]
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJYWvFWAAoJEBzwKT+lPKRYqdsQAKZxQQz1PF5VH88y1IDRLq2+
> qegBtNOF+oTTzueeWveFnUS13stvYBpxNC0jU8GHt1jsbSs13hlxUby7trstAhev
> nmQCvd31g+8i7VQOKpUSAyCBHJBrZn9FAhcJDrVdZZP7SInCp4KzmyNnUUEAIgQs
> hsqm3LaquabergPUwidXMlBD7P6mZ+74GorGoX06J6/ivaP6RRrxG1OVDeYzH/mZ
> ai8x9Q/UOtaFJOrb7tK6JJRNQaiSb7Pryozrdu/81Gi9pDALToden1LWlqa1nvHF
> xBpbM1lTEs0W24gACZtaGv2IJsNoFgJ76/S9nLH5NOMDZBNPnpfhoAQrOUH9YHIt
> hme4kltU69saE10hkvqrsvVQ5XplXwD4F3q8XnE2JHYv0bTl8cg7fL3yvtPPXUCC
> pIe1QioEAu+nKVrpV7KvPfYGhAsxJ2kVcho/bv+sANEWyMEqqfRR/zCnOU5Ge7OE
> e7OrQylXVcXQazfV0Hxd62CYCKW0lhx8Vm60q9sr4QcsYr21QRKr6NUWvC8PQTci
> XEpyKYEJ4E8CMxpaOqGl9khpQzkCnSxhRPg1nrlsWc/dDML8BnEuwF3xAR4pObP3
> BRrMEhldoN/px/TPqTTnNxh9qr2A2Y+K3x/Ptg1VxGXiwFbEcTYVSh5rKaoASsLz
> o3RRxtRPiC1NrAlTK2Bc
> =AKTz
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
