Ahh!
changed the server.xml entries to 8443
tried:
  openssl s_client -connect 192.168.1.149:8443
and got:
  CONNECTED(00000003)
3074541192:error:140790E5SSL routhines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 295 bytes
---
New, (NONE), Cipher is (ONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

That might mean something (note I retyped it from a ssh connection after a
stiff drink so there may be typos)

P

On 22 December 2016 at 16:27, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Peter,
>
> On 12/22/16 11:03 AM, Peter Wallis wrote:
> > Hi Christopher, re 443 on *nix; yes, set AUTHBIND='yes' in
> > /etc/defaults/tomcat8
>
> Okay. Are you sure you've got that configured properly? Try changing
> port 443 to 8443 in server.xml and bouncing Tomcat. Let's try to solve
> one problem at a time.
>
> > re openssl s_client -connect on a different machine; it times out
> >
> > Did have a thought -- one that might not be obvious to you experts
> > -- I am serving that page via No-IP dynamic dns.  Their support
> > people are "cagey" about whether this works or not (they don't
> > answer the question and suggest I buy an upgraded service)  I
> > believe people who know what they are doing just run their own dns
> > using unbound?  If that makes no sense, please ignore; I don't know
> > what I'm talking about but it seems we are looking for something
> > I've done that is weird.
>
> Let's try this: what's the actual IP address of your pi? 192.168.0.10
> or somesuch?
>
> Change your port from 443 -> 8443 and then try this:
>
> $ openssl s_client -connect 192.168.0.10:8443
>
> If that connects and shows the cert, then your TLS configuration is
> correct. It will complain about the hostname (IP address) not matching
> the cert's CN, but that's okay).
>
> Since you have lots of moving parts, let's find out what's working
> first and then fix whatever problems remain.
>
> - -chris
>
> > On 22 December 2016 at 15:38, Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > Peter,
> >
> > On 12/22/16 2:43 AM, Peter Wallis wrote:
> >>>> Hi Christopher, so it seems I have done something exceptional
> >>>> :-) Thanks for taking a look...
> >>>>
> >>>> <Connector port="443"
> >>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
> >>>> maxThreads="150" SSLEnabled="true" scheme="https"
> >>>> secure="true" keystoreFile="/home/peter/.keystore"
> >>>> alias="tomcat" keystorePass="changeit" clientAuth="false"
> >>>> sslProtocol="TLS" />
> >
> > This looks fine except for one thing: you are using port 443 on a
> > *NIX system which requires you to either run as root (bad) or make
> > other arrangements. Have you made such arrangements?
> >
> >>>> Keystore type: JKS Keystore provider: SUN
> >>>>
> >>>> Your keystore contains 2 entries
> >>>>
> >>>> Alias name: gandi Creation date: 21-Dec-2016 Entry type:
> >>>> trustedCertEntry
> >
> > Okay, that's your CA.
> >
> >>>> Alias name: tomcat Creation date: 21-Dec-2016 Entry type:
> >>>> trustedCertEntry
> >
> > Okay, that's presumably your server's cert.
> >
> >>>> Owner: CN=alexa.proseco.co.uk, OU=Gandi Standard SSL,
> >>>> OU=Domain Control Validated
> >
> > If that's your site name (alexa.proseco.co.uk) this looks good.
> >
> > What happens if you do this from the outside (e.g. not on the pi
> > itself) :
> >
> > $ openssl s_client -connect alexa.proseco.co.uk:443
> >
> > -chris
> >>
> >> ---------------------------------------------------------------------
> >>
> >>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJYW/7iAAoJEBzwKT+lPKRYrG8P/RvLPGw1Xs9nckpTnrDWO8DA
> 1Df5CIEign1cbPTiO1MsMqUG0ZttsntWBCDO9dXUZ4COgjjQlj0svMQkhMqYFAeS
> GplutOm2ogcSlmh0asmmQlhcca3KYf4JCxe6I2MAO7jvgzaqP5YQBkP8yXK+RRtP
> hkhvqRfBJxChNtZ9L40HoFqUputXe+8aGTSoIUXVmi66xzj3sdn7SHJ3ktVE2ewp
> 1q9paiMZeR21l+NsgAdqm+aZO02DMvhgDXHCcmD/CHdcNETO0VplZk2x97QKJcSn
> dXny45c+uuGQxMIEcfokMWDVl0WqYQjBUaWdh7TvX45Ovbp5QZVlVDh2dinWEFVV
> 2wsGrODf22BFccvEvrZhVdT4G1efkpiHn2F4z0TO0DCjnYnvmMLJ7RRAjxKlDU9c
> xdi124ByqoBgF42iS5BN1tlM9pzfefsHlqf0kR/zNxcqtEwLejm3/B/2CKTm2Lvw
> EM0CBzYrz5WOybcYdlpCwHM9KEZBnO3Vh3NX0sdWc7OMFmmaofySuQEpnpQWP71z
> AMGCRdvPDNV1r4WP0gu8R4piOMWf2I234mi89g4Z2ebJ8Ymi+jk7dKTrl6BO/l+Y
> NkKPjURv7pk1pXm2qGkB7sQDaTTKQLvBu86c9QCzrXP1zN727JTTrVFUfu0BIHfG
> /kMLCZzFz938B9ZwBlER
> =GA0t
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Reply via email to