Ahh! changed the server.xml entries to 8443 tried: openssl s_client -connect 192.168.1.149:8443 and got: CONNECTED(00000003) 3074541192:error:140790E5SSL routhines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 295 bytes --- New, (NONE), Cipher is (ONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---
That might mean something (note I retyped it from a ssh connection after a stiff drink so there may be typos) P On 22 December 2016 at 16:27, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Peter, > > On 12/22/16 11:03 AM, Peter Wallis wrote: > > Hi Christopher, re 443 on *nix; yes, set AUTHBIND='yes' in > > /etc/defaults/tomcat8 > > Okay. Are you sure you've got that configured properly? Try changing > port 443 to 8443 in server.xml and bouncing Tomcat. Let's try to solve > one problem at a time. > > > re openssl s_client -connect on a different machine; it times out > > > > Did have a thought -- one that might not be obvious to you experts > > -- I am serving that page via No-IP dynamic dns. Their support > > people are "cagey" about whether this works or not (they don't > > answer the question and suggest I buy an upgraded service) I > > believe people who know what they are doing just run their own dns > > using unbound? If that makes no sense, please ignore; I don't know > > what I'm talking about but it seems we are looking for something > > I've done that is weird. > > Let's try this: what's the actual IP address of your pi? 192.168.0.10 > or somesuch? > > Change your port from 443 -> 8443 and then try this: > > $ openssl s_client -connect 192.168.0.10:8443 > > If that connects and shows the cert, then your TLS configuration is > correct. It will complain about the hostname (IP address) not matching > the cert's CN, but that's okay). > > Since you have lots of moving parts, let's find out what's working > first and then fix whatever problems remain. > > - -chris > > > On 22 December 2016 at 15:38, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Peter, > > > > On 12/22/16 2:43 AM, Peter Wallis wrote: > >>>> Hi Christopher, so it seems I have done something exceptional > >>>> :-) Thanks for taking a look... > >>>> > >>>> <Connector port="443" > >>>> protocol="org.apache.coyote.http11.Http11NioProtocol" > >>>> maxThreads="150" SSLEnabled="true" scheme="https" > >>>> secure="true" keystoreFile="/home/peter/.keystore" > >>>> alias="tomcat" keystorePass="changeit" clientAuth="false" > >>>> sslProtocol="TLS" /> > > > > This looks fine except for one thing: you are using port 443 on a > > *NIX system which requires you to either run as root (bad) or make > > other arrangements. Have you made such arrangements? > > > >>>> Keystore type: JKS Keystore provider: SUN > >>>> > >>>> Your keystore contains 2 entries > >>>> > >>>> Alias name: gandi Creation date: 21-Dec-2016 Entry type: > >>>> trustedCertEntry > > > > Okay, that's your CA. > > > >>>> Alias name: tomcat Creation date: 21-Dec-2016 Entry type: > >>>> trustedCertEntry > > > > Okay, that's presumably your server's cert. > > > >>>> Owner: CN=alexa.proseco.co.uk, OU=Gandi Standard SSL, > >>>> OU=Domain Control Validated > > > > If that's your site name (alexa.proseco.co.uk) this looks good. > > > > What happens if you do this from the outside (e.g. not on the pi > > itself) : > > > > $ openssl s_client -connect alexa.proseco.co.uk:443 > > > > -chris > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJYW/7iAAoJEBzwKT+lPKRYrG8P/RvLPGw1Xs9nckpTnrDWO8DA > 1Df5CIEign1cbPTiO1MsMqUG0ZttsntWBCDO9dXUZ4COgjjQlj0svMQkhMqYFAeS > GplutOm2ogcSlmh0asmmQlhcca3KYf4JCxe6I2MAO7jvgzaqP5YQBkP8yXK+RRtP > hkhvqRfBJxChNtZ9L40HoFqUputXe+8aGTSoIUXVmi66xzj3sdn7SHJ3ktVE2ewp > 1q9paiMZeR21l+NsgAdqm+aZO02DMvhgDXHCcmD/CHdcNETO0VplZk2x97QKJcSn > dXny45c+uuGQxMIEcfokMWDVl0WqYQjBUaWdh7TvX45Ovbp5QZVlVDh2dinWEFVV > 2wsGrODf22BFccvEvrZhVdT4G1efkpiHn2F4z0TO0DCjnYnvmMLJ7RRAjxKlDU9c > xdi124ByqoBgF42iS5BN1tlM9pzfefsHlqf0kR/zNxcqtEwLejm3/B/2CKTm2Lvw > EM0CBzYrz5WOybcYdlpCwHM9KEZBnO3Vh3NX0sdWc7OMFmmaofySuQEpnpQWP71z > AMGCRdvPDNV1r4WP0gu8R4piOMWf2I234mi89g4Z2ebJ8Ymi+jk7dKTrl6BO/l+Y > NkKPjURv7pk1pXm2qGkB7sQDaTTKQLvBu86c9QCzrXP1zN727JTTrVFUfu0BIHfG > /kMLCZzFz938B9ZwBlER > =GA0t > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >