-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Peter,
On 12/22/16 11:03 AM, Peter Wallis wrote: > Hi Christopher, re 443 on *nix; yes, set AUTHBIND='yes' in > /etc/defaults/tomcat8 Okay. Are you sure you've got that configured properly? Try changing port 443 to 8443 in server.xml and bouncing Tomcat. Let's try to solve one problem at a time. > re openssl s_client -connect on a different machine; it times out > > Did have a thought -- one that might not be obvious to you experts > -- I am serving that page via No-IP dynamic dns. Their support > people are "cagey" about whether this works or not (they don't > answer the question and suggest I buy an upgraded service) I > believe people who know what they are doing just run their own dns > using unbound? If that makes no sense, please ignore; I don't know > what I'm talking about but it seems we are looking for something > I've done that is weird. Let's try this: what's the actual IP address of your pi? 192.168.0.10 or somesuch? Change your port from 443 -> 8443 and then try this: $ openssl s_client -connect 192.168.0.10:8443 If that connects and shows the cert, then your TLS configuration is correct. It will complain about the hostname (IP address) not matching the cert's CN, but that's okay). Since you have lots of moving parts, let's find out what's working first and then fix whatever problems remain. - -chris > On 22 December 2016 at 15:38, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Peter, > > On 12/22/16 2:43 AM, Peter Wallis wrote: >>>> Hi Christopher, so it seems I have done something exceptional >>>> :-) Thanks for taking a look... >>>> >>>> <Connector port="443" >>>> protocol="org.apache.coyote.http11.Http11NioProtocol" >>>> maxThreads="150" SSLEnabled="true" scheme="https" >>>> secure="true" keystoreFile="/home/peter/.keystore" >>>> alias="tomcat" keystorePass="changeit" clientAuth="false" >>>> sslProtocol="TLS" /> > > This looks fine except for one thing: you are using port 443 on a > *NIX system which requires you to either run as root (bad) or make > other arrangements. Have you made such arrangements? > >>>> Keystore type: JKS Keystore provider: SUN >>>> >>>> Your keystore contains 2 entries >>>> >>>> Alias name: gandi Creation date: 21-Dec-2016 Entry type: >>>> trustedCertEntry > > Okay, that's your CA. > >>>> Alias name: tomcat Creation date: 21-Dec-2016 Entry type: >>>> trustedCertEntry > > Okay, that's presumably your server's cert. > >>>> Owner: CN=alexa.proseco.co.uk, OU=Gandi Standard SSL, >>>> OU=Domain Control Validated > > If that's your site name (alexa.proseco.co.uk) this looks good. > > What happens if you do this from the outside (e.g. not on the pi > itself) : > > $ openssl s_client -connect alexa.proseco.co.uk:443 > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYW/7iAAoJEBzwKT+lPKRYrG8P/RvLPGw1Xs9nckpTnrDWO8DA 1Df5CIEign1cbPTiO1MsMqUG0ZttsntWBCDO9dXUZ4COgjjQlj0svMQkhMqYFAeS GplutOm2ogcSlmh0asmmQlhcca3KYf4JCxe6I2MAO7jvgzaqP5YQBkP8yXK+RRtP hkhvqRfBJxChNtZ9L40HoFqUputXe+8aGTSoIUXVmi66xzj3sdn7SHJ3ktVE2ewp 1q9paiMZeR21l+NsgAdqm+aZO02DMvhgDXHCcmD/CHdcNETO0VplZk2x97QKJcSn dXny45c+uuGQxMIEcfokMWDVl0WqYQjBUaWdh7TvX45Ovbp5QZVlVDh2dinWEFVV 2wsGrODf22BFccvEvrZhVdT4G1efkpiHn2F4z0TO0DCjnYnvmMLJ7RRAjxKlDU9c xdi124ByqoBgF42iS5BN1tlM9pzfefsHlqf0kR/zNxcqtEwLejm3/B/2CKTm2Lvw EM0CBzYrz5WOybcYdlpCwHM9KEZBnO3Vh3NX0sdWc7OMFmmaofySuQEpnpQWP71z AMGCRdvPDNV1r4WP0gu8R4piOMWf2I234mi89g4Z2ebJ8Ymi+jk7dKTrl6BO/l+Y NkKPjURv7pk1pXm2qGkB7sQDaTTKQLvBu86c9QCzrXP1zN727JTTrVFUfu0BIHfG /kMLCZzFz938B9ZwBlER =GA0t -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org