Hi Christopher, re 443 on *nix; yes, set AUTHBIND='yes' in /etc/defaults/tomcat8 re openssl s_client -connect on a different machine; it times out
Did have a thought -- one that might not be obvious to you experts -- I am serving that page via No-IP dynamic dns. Their support people are "cagey" about whether this works or not (they don't answer the question and suggest I buy an upgraded service) I believe people who know what they are doing just run their own dns using unbound? If that makes no sense, please ignore; I don't know what I'm talking about but it seems we are looking for something I've done that is weird. P On 22 December 2016 at 15:38, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Peter, > > On 12/22/16 2:43 AM, Peter Wallis wrote: > > Hi Christopher, so it seems I have done something exceptional :-) > > Thanks for taking a look... > > > > <Connector port="443" > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > > keystoreFile="/home/peter/.keystore" alias="tomcat" > > keystorePass="changeit" clientAuth="false" sslProtocol="TLS" /> > > This looks fine except for one thing: you are using port 443 on a *NIX > system which requires you to either run as root (bad) or make other > arrangements. Have you made such arrangements? > > > Keystore type: JKS Keystore provider: SUN > > > > Your keystore contains 2 entries > > > > Alias name: gandi Creation date: 21-Dec-2016 Entry type: > > trustedCertEntry > > Okay, that's your CA. > > > Alias name: tomcat Creation date: 21-Dec-2016 Entry type: > > trustedCertEntry > > Okay, that's presumably your server's cert. > > > Owner: CN=alexa.proseco.co.uk, OU=Gandi Standard SSL, OU=Domain > > Control Validated > > If that's your site name (alexa.proseco.co.uk) this looks good. > > What happens if you do this from the outside (e.g. not on the pi itself) > : > > $ openssl s_client -connect alexa.proseco.co.uk:443 > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJYW/NwAAoJEBzwKT+lPKRYbf0P/3LawCFJivA7997fbYvFCw5h > A9p1aWXNYMzRiaGcltoYk+fZVtTQ0Ve5mBtSDV8nN+mulEt2mPD6nxbvhjw1H24z > pononiduIpv30QduqlXQeczUtdptjNMzsDP+zg1HdnEF45xSmQl/egn3/QCBqMIH > hYNmxgxJpipDlruv5sNhM/0BRF2jvmG3mqByX/ayguCP7eC16nXMzYriVMauUj+L > QVZHlitdeLu8ZcHMxKz0B60gho64Hivlf/HlEiEINtyq5jYgN16dLNRzuMlZ34cd > UAdOtT28eA4hIfK4KQZrpO/iSNn4gaKV7wBH8FswvgqJdLBT/ucKuzWOmfMY0cBx > vLtBK6y1XFasfkGOkWoS8I2ViomygUgWDTIsFSmikaMgqJg2joxatLx50rT6oXyo > KM4y074J8CSwxP+/UiwugRGCfiDfRHDZErEWXTpQmcsHrrSwJWlqCk6l/gUscB/X > XM3XLKFK+8JUXnsYHYe9lylrrfHKUm8SgNVkQsBF7b7RHtKh1kWJjD2/xMFb3C0P > FuZnNdFc22MEaDnisp5ofqDAYNTDvJLkVn+2ererNmeWdrRq8Cf7/X4QrLeTlMh/ > 7GcRGq0C9/2ZRc+1pyFhjfef6MwZ1wceqiquBZYokdyoPHdQ82VAyPg1ffVRfskl > 1TsRsxA+hHeIkgCE161B > =yhHl > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
