Hi Christopher, so it seems I have done something exceptional :-) Thanks for taking a look...
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/home/peter/.keystore" alias="tomcat" keystorePass="changeit" clientAuth="false" sslProtocol="TLS" /> Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries Alias name: gandi Creation date: 21-Dec-2016 Entry type: trustedCertEntry Owner: CN=Gandi Standard SSL CA 2, O=Gandi, L=Paris, ST=Paris, C=FR Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US Serial number: 5e4dc3b9438ab3b8597cba6a19850e3 Valid from: Fri Sep 12 00:00:00 UTC 2014 until: Wed Sep 11 23:59:59 UTC 2024 Certificate fingerprints: MD5: 1A:9A:69:A8:1F:6D:A9:2D:87:F7:69:4E:16:D8:B8:79 SHA1: 24:71:06:A4:05:B2:88:A4:6E:70:A0:26:27:17:16:2D:09:03:E7:34 SHA256: B9:F2:16:43:23:63:8D:CE:0B:92:21:8B:43:C4:1C:1B:2B:26:96:38:93:29:DB:19:F5:CF:7A:D4:9B:5C:B3:72 Signature algorithm name: SHA384withRSA Version: 3 Extensions: #1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt , accessMethod: ocsp accessLocation: URIName: http://ocsp.usertrust.com ] ] #2: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 53 79 BF 5A AA 2B 4A CF 54 80 E1 D8 9B C0 9D F2 Sy.Z.+J.T....... 0010: B2 03 66 CB ..f. ] ] #3: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:0 ] #4: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl] ]] #5: ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.26] [] ] [CertificatePolicyId: [2.23.140.1.2.1] [] ] ] #6: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth ] #7: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_CertSign Crl_Sign ] #8: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: B3 90 A7 D8 C9 AF 4E CD 61 3C 9F 7C AD 5D 7F 41 ......N.a<...].A 0010: FD 69 30 EA .i0. ] ] ******************************************* ******************************************* Alias name: tomcat Creation date: 21-Dec-2016 Entry type: trustedCertEntry Owner: CN=alexa.proseco.co.uk, OU=Gandi Standard SSL, OU=Domain Control Validated Issuer: CN=Gandi Standard SSL CA 2, O=Gandi, L=Paris, ST=Paris, C=FR Serial number: 722e058c0d81e1089658a9934163c58a Valid from: Fri Dec 16 00:00:00 UTC 2016 until: Sat Dec 16 23:59:59 UTC 2017 Certificate fingerprints: MD5: CA:36:D1:ED:4E:EC:69:91:D8:92:75:71:86:01:A9:6E SHA1: F3:08:57:19:0E:2C:58:2A:55:B7:71:E3:00:30:D4:84:3F:BA:98:E7 SHA256: AE:7C:12:C5:C0:20:04:A0:A8:77:AF:E8:67:86:0F:83:30:25:D8:83:C5:A7:88:8F:6A:F4:46:B3:0D:ED:BE:6A Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://crt.usertrust.com/GandiStandardSSLCA2.crt , accessMethod: ocsp accessLocation: URIName: http://ocsp.usertrust.com ] ] #2: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: B3 90 A7 D8 C9 AF 4E CD 61 3C 9F 7C AD 5D 7F 41 ......N.a<...].A 0010: FD 69 30 EA .i0. ] ] #3: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:false PathLen: undefined ] #4: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.usertrust.com/GandiStandardSSLCA2.crl] ]] #5: ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.26] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 19 68 74 74 70 73 3A 2F 2F 63 70 73 2E 75 73 .. https://cps.us 0010: 65 72 74 72 75 73 74 2E 63 6F 6D ertrust.com ]] ] [CertificatePolicyId: [2.23.140.1.2.1] [] ] ] #6: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth ] #7: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_Encipherment ] #8: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: alexa.proseco.co.uk DNSName: www.alexa.proseco.co.uk ] #9: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: BF 52 0C 03 DD 23 55 BA 3F EB DD F3 C5 56 FE A0 .R...#U.?....V.. 0010: 3B 0F F1 E8 ;... ] ] ******************************************* ******************************************* On 21 December 2016 at 21:17, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Peter, > > On 12/21/16 4:22 AM, Peter Wallis wrote: > > Hi all, I have tomcat 8.0.39 running on a raspberry pi (easy) and > > thought I'd try setting it up to provide "skills" for the Amazon > > Echo Alexa service. This requires a url which "presents" either a > > signed certificate, or a self-signed certificate. > > > > Using fiirefox to check, I believe I got it presenting a > > self-signed certificate but, as I have bought a domain name with a > > free certificate, I thought I get that running before moving on to > > delivering skills. > > Sounds good. > > > A month later (this is not my day job) I'm still stuck. sslchecker > > is the most informative and says no certificates were found. It > > does say "Server Type: Apache-Coyote 1.1" > > Okay, so you can make a connection: that's good :) > > > No messages on catalina.out; occasionally a message on > > xxx_access_log saying "HEAD / HTTP/1.1" 200 -" openssl verify just > > hangs; and Firefox says secure connection failed. > > Okay, so we have a place to start. First of all, "openssl verify" > isn't what you want to use to connect. Instead, you want "openssl > s_client". > > Can you post your <Connector> configuration? > > > The problem might be an issue with the CA; it might be my keystore; > > it might be my tomcat settings. I don't think it is the latter > > because the self signed certificate seemed to work. I don't think > > it is the CA or keystore because I can a) verify the certificate > > chain with openssl and the keystore tells me I have the > > certificates I think I have. > > What matters is what the server (Tomcat) is presenting to the client, > not what's actually in the keystore (though usually they are very > closely related). > > > I have googled for getting tomcat to give some debug information > > but what I've found so far has no effect. Can someone point me to > > the official how-to debug ssl issues on tomcat? > > There isn't really an official "Tomcat" TLS debugging how-to, because > they are all pretty much the same. Most of the confusion occurs in one > specific place: key/cert management (key, csr, cert, chain, etc.) > because if you don't understand it, it's easy to get lost. > > Along with posting your <Connector> configuration, can you post the > output of this command: > > $ keytool -list -verbose -keystore [keystorename] > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJYWvFWAAoJEBzwKT+lPKRYqdsQAKZxQQz1PF5VH88y1IDRLq2+ > qegBtNOF+oTTzueeWveFnUS13stvYBpxNC0jU8GHt1jsbSs13hlxUby7trstAhev > nmQCvd31g+8i7VQOKpUSAyCBHJBrZn9FAhcJDrVdZZP7SInCp4KzmyNnUUEAIgQs > hsqm3LaquabergPUwidXMlBD7P6mZ+74GorGoX06J6/ivaP6RRrxG1OVDeYzH/mZ > ai8x9Q/UOtaFJOrb7tK6JJRNQaiSb7Pryozrdu/81Gi9pDALToden1LWlqa1nvHF > xBpbM1lTEs0W24gACZtaGv2IJsNoFgJ76/S9nLH5NOMDZBNPnpfhoAQrOUH9YHIt > hme4kltU69saE10hkvqrsvVQ5XplXwD4F3q8XnE2JHYv0bTl8cg7fL3yvtPPXUCC > pIe1QioEAu+nKVrpV7KvPfYGhAsxJ2kVcho/bv+sANEWyMEqqfRR/zCnOU5Ge7OE > e7OrQylXVcXQazfV0Hxd62CYCKW0lhx8Vm60q9sr4QcsYr21QRKr6NUWvC8PQTci > XEpyKYEJ4E8CMxpaOqGl9khpQzkCnSxhRPg1nrlsWc/dDML8BnEuwF3xAR4pObP3 > BRrMEhldoN/px/TPqTTnNxh9qr2A2Y+K3x/Ptg1VxGXiwFbEcTYVSh5rKaoASsLz > o3RRxtRPiC1NrAlTK2Bc > =AKTz > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >