Hi, Simon. I think what you need is to add your server's self-signed cert to the default java keystore within the Gluu's container. Please check our docs portal's page on certificate updates for examples, or any other article on the internet, it's a routine administration task.

I mean [this page](https://www.gluu.org/docs/gluu-defaults/certificates/). Also check [this one](https://www.gluu.org/docs/further-reading/cert-full-update-procedures/) for a detailed steps, with command examples. Best regards, Alex.

Well it certainly had an effect! I did this ``` $JAVA_HOME/bin/keytool -import -alias "GBNPPWXCH02" --trustcacerts -file GBNPPWXCH02.pem -keystore /usr/java/latest/lib/security/cacerts ``` ``` INFO | jvm 1 | 2016/08/19 15:41:10 | 2016-08-19 15:41:10,861 INFO [org.gluu.oxtrust.action.UpdateOrganizationAction] HostName: smtp.example.com Port: 25 RequireSSL: true RequireSSL: true INFO | jvm 1 | 2016/08/19 15:41:10 | 2016-08-19 15:41:10,866 INFO [org.gluu.oxtrust.action.UpdateOrganizationAction] UserName: idp@example.com Password: mypassword INFO | jvm 1 | 2016/08/19 15:41:11 | 2016-08-19 15:41:10,933 ERROR [org.gluu.oxtrust.action.UpdateOrganizationAction] SMTP Host Connection Error INFO | jvm 1 | 2016/08/19 15:41:11 | javax.mail.MessagingException: Can't send command to SMTP host; INFO | jvm 1 | 2016/08/19 15:41:11 | nested exception is: INFO | jvm 1 | 2016/08/19 15:41:11 | javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target INFO | jvm 1 | 2016/08/19 15:41:11 | at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1717) INFO | jvm 1 | 2016/08/19 15:41:11 | at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1704) ``` I previously scripted the entire certificate update process and as far as I can tell have just done "more of the same" Any ideas while I keep digging?

Just a couple of wild guesses: 1. Have you tried to verify certificate was really added there (better double-check everything first)? Please try to run `# keytool -list -alias "GBNPPWXCH02" -v -keystore /usr/java/latest/lib/security/cacerts -storepass changeit` from within the container. 2. Is your certificate correct, i.e. does it have a correct hostname in "Common name" field, it hasn't expire etc? (yes, I understand it sounds funny when we are talking about self-signed cert, but sometimes this may create issues even in its case) 3. Have you tried to restart Tomcat after adding the certificate? Please try to run `# server tomcat restart` from within the container.

One more thing: 4. Please verify that in your distribution the default java storage is indeed located at this path: `/usr/java/latest/lib/security/cacerts`. Usually it's a symbolic link pointing to its actual location, but if by any chance it hadn't been set prior to you running `# keytool -import` it could simply create a new keystore at this location, placing your cert there, i.e. it didn't update the default keystore. Try to list contents of keystore at `/usr/java/latest/lib/security/cacerts`, if it contains just your one certificate, this is the case. Also, please keep in mind that all operations must be done **within the Gluu container** (after you issued `# service gluu-server-2.4.4 login` command)

I think everything is as it should be - and was done from the container. ``` -bash-4.2# $JAVA_HOME/bin/keytool -list -alias "GBNPPWXCH02" -v -keystore /usr/java/latest/lib/security/cacerts -storepass changeit Alias name: GBNPPWXCH02 Creation date: 19-Aug-2016 Entry type: trustedCertEntry Owner: CN=GBNPPWXCH02 Issuer: CN=GBNPPWXCH02 Serial number: 14c3c8fbd8aae18a4323fa7d00248215 Valid from: Mon Oct 12 21:01:46 BST 2015 until: Mon Oct 12 21:01:46 BST 2020 <snip> ``` and I'm using "real" certs for the Shibboleth and Apache as described in the docs you linked to previously, so am confided that the symlinks are working as expected.

Thanks, Simon. By any chance, is this your mail server accessible over the Internet? I could try to check the issue locally, with my own Gluu instance.

Hi, thanks for the offer, but no it's not internet accessible. I haven't made any progress except that I spun up a simple mailserver with a self-signed cert and Gluu could talk to that one seemingly without any additional config. I'm a bit confused atm but will keep investigating.

I would double-check/compare certificates at both these servers, trying to find what is the differences. I would also paid close attention to what is in "Common Name" field of both certificates.

Cracked it :-) I'll add a bit of context. The self signed cert used by my mail server is issued with two entries in the subjectAlternateName block, the short version and the FQDN of the host. In my case, adding the certificate into the cacerts trust store using the FQDN as the alias definitely works (assumes your certificate is in cert.pem) - e.g. ``` keytool -import -alias "GBNPPWXCH01.EXAMPLE.ORG" -keystore /usr/java/latest/lib/security/cacerts -storepass changeit -file cert.pem ``` If you don't have the certificate you can obtain it like so ``` echo | openssl s_client -showcerts -connect hostname:25 -starttls smtp 2>&1 | sed -ne '/-BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > cert.pem ``` But simply restarting tomcat did not do the job for me. I found that I had to completely exit the container and bounce it ``` sudo /sbin/gluu-server-2.4.3 stop sudo /sbin/gluu-server-2.4.3 start ``` before the certiicate was read into the trust store. Figuring out what's trusted and what isn't is a bit of a pain but you can get some useful, if lengthy output by adding a debug flag to the wrapper conf. The output looks like this ``` INFO | jvm 1 | 2016/08/30 11:51:37 | 2016-08-30 11:51:37,391 INFO [org.gluu.oxtrust.action.UpdateOrganizationAction] HostName: GBNPPWXCH01.EXAMPLE.ORG Port: 25 RequireSSL: true RequireSSL: true INFO | jvm 1 | 2016/08/30 11:51:37 | 2016-08-30 11:51:37,392 INFO [org.gluu.oxtrust.action.UpdateOrganizationAction] UserName: hb-idp-preprod@example.org Password: Password123 INFO | jvm 1 | 2016/08/30 11:51:37 | Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 INFO | jvm 1 | 2016/08/30 11:51:37 | Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 INFO | jvm 1 | 2016/08/30 11:51:37 | Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 INFO | jvm 1 | 2016/08/30 11:51:37 | Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 INFO | jvm 1 | 2016/08/30 11:51:37 | Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 INFO | jvm 1 | 2016/08/30 11:51:37 | Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 INFO | jvm 1 | 2016/08/30 11:51:37 | Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 INFO | jvm 1 | 2016/08/30 11:51:37 | Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 INFO | jvm 1 | 2016/08/30 11:51:37 | Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 INFO | jvm 1 | 2016/08/30 11:51:37 | Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 INFO | jvm 1 | 2016/08/30 11:51:37 | Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 INFO | jvm 1 | 2016/08/30 11:51:37 | Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 INFO | jvm 1 | 2016/08/30 11:51:37 | Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 INFO | jvm 1 | 2016/08/30 11:51:37 | Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 INFO | jvm 1 | 2016/08/30 11:51:37 | Allow unsafe renegotiation: false INFO | jvm 1 | 2016/08/30 11:51:37 | Allow legacy hello messages: true INFO | jvm 1 | 2016/08/30 11:51:37 | Is initial handshake: true INFO | jvm 1 | 2016/08/30 11:51:37 | Is secure renegotiation: false INFO | jvm 1 | 2016/08/30 11:51:37 | %% Client cached [Session-14, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] INFO | jvm 1 | 2016/08/30 11:51:37 | %% Try resuming [Session-14, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] from port 48288 INFO | jvm 1 | 2016/08/30 11:51:37 | *** ClientHello, TLSv1 INFO | jvm 1 | 2016/08/30 11:51:37 | RandomCookie: GMT: 1455777081 bytes = { 218, 118, 47, 125, 153, 21, 154, 147, 92, 182, 144, 97, 41, 140, 242, 171, 32, 64, 103, 71, 31, 178, 100, 145, 68, 79, 123, 201 } INFO | jvm 1 | 2016/08/30 11:51:37 | Session ID: {82, 73, 0, 0, 215, 69, 166, 94, 168, 98, 72, 54, 171, 219, 36, 243, 21, 141, 146, 183, 135, 195, 36, 33, 108, 221, 38, 28, 151, 35, 117, 153} INFO | jvm 1 | 2016/08/30 11:51:37 | Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] INFO | jvm 1 | 2016/08/30 11:51:37 | Compression Methods: { 0 } INFO | jvm 1 | 2016/08/30 11:51:37 | Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1} INFO | jvm 1 | 2016/08/30 11:51:37 | Extension ec_point_formats, formats: [uncompressed] INFO | jvm 1 | 2016/08/30 11:51:37 | Extension server_name, server_name: [host_name: GBNPPWXCH01.EXAMPLE.ORG] INFO | jvm 1 | 2016/08/30 11:51:37 | *** INFO | jvm 1 | 2016/08/30 11:51:37 | ajp-bio-127.0.0.1-8009-exec-7, WRITE: TLSv1 Handshake, length = 170 INFO | jvm 1 | 2016/08/30 11:51:37 | ajp-bio-127.0.0.1-8009-exec-7, READ: TLSv1 Handshake, length = 1225 INFO | jvm 1 | 2016/08/30 11:51:37 | *** ServerHello, TLSv1 INFO | jvm 1 | 2016/08/30 11:51:37 | RandomCookie: GMT: 1455777321 bytes = { 199, 223, 199, 33, 225, 34, 146, 175, 165, 107, 84, 36, 16, 208, 240, 164, 209, 185, 252, 7, 207, 57, 191, 235, 35, 184, 130, 26 } INFO | jvm 1 | 2016/08/30 11:51:37 | Session ID: {80, 74, 0, 0, 26, 81, 32, 211, 244, 117, 5, 54, 108, 67, 196, 115, 1, 58, 4, 1, 175, 210, 210, 150, 9, 243, 15, 61, 206, 188, 145, 232} INFO | jvm 1 | 2016/08/30 11:51:37 | Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA INFO | jvm 1 | 2016/08/30 11:51:37 | Compression Method: 0 INFO | jvm 1 | 2016/08/30 11:51:37 | Extension renegotiation_info, renegotiated_connection: <empty> INFO | jvm 1 | 2016/08/30 11:51:37 | *** INFO | jvm 1 | 2016/08/30 11:51:37 | %% Invalidated: [Session-14, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] INFO | jvm 1 | 2016/08/30 11:51:37 | %% Initialized: [Session-20, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] INFO | jvm 1 | 2016/08/30 11:51:37 | ** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA INFO | jvm 1 | 2016/08/30 11:51:37 | *** Certificate chain INFO | jvm 1 | 2016/08/30 11:51:37 | chain [0] = [ INFO | jvm 1 | 2016/08/30 11:51:37 | [ INFO | jvm 1 | 2016/08/30 11:51:37 | Version: V3 INFO | jvm 1 | 2016/08/30 11:51:37 | Subject: CN=GBNPPWXCH01 INFO | jvm 1 | 2016/08/30 11:51:37 | Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 INFO | jvm 1 | 2016/08/30 11:51:37 | INFO | jvm 1 | 2016/08/30 11:51:37 | Key: Sun RSA public key, 2048 bits INFO | jvm 1 | 2016/08/30 11:51:37 | modulus: 27320755516852566716893612596623657563967565702321529820218363149839879661520852516869231284999354421462458564354791103685857486090985343824135483829724998254141989863281421470175266219401999935253108368310305155654148701640223502187337046741588304977114810977721278079676710565864585830627512035161378022744145063487260045905332418803562718430526654266541375214179366980194542253597778228028763245917356508069037674502630410116527226623282369120455164132232033472063282371821250814151813045537188716323741432627086200497881863375444761181437328094272431186878161630021283904733373445318546834571927996371731540115117 INFO | jvm 1 | 2016/08/30 11:51:37 | public exponent: 65537 INFO | jvm 1 | 2016/08/30 11:51:37 | Validity: [From: Mon Oct 28 20:21:39 GMT 2013, INFO | jvm 1 | 2016/08/30 11:51:37 | To: Sun Oct 28 20:21:39 GMT 2018] INFO | jvm 1 | 2016/08/30 11:51:37 | Issuer: CN=GBNPPWXCH01 INFO | jvm 1 | 2016/08/30 11:51:37 | SerialNumber: [ 7d76451c 0a7cc28d 4510aefa 7f0a9776] INFO | jvm 1 | 2016/08/30 11:51:37 | INFO | jvm 1 | 2016/08/30 11:51:37 | Certificate Extensions: 4 INFO | jvm 1 | 2016/08/30 11:51:37 | [1]: ObjectId: 2.5.29.19 Criticality=true INFO | jvm 1 | 2016/08/30 11:51:37 | BasicConstraints:[ INFO | jvm 1 | 2016/08/30 11:51:37 | CA:false INFO | jvm 1 | 2016/08/30 11:51:37 | PathLen: undefined INFO | jvm 1 | 2016/08/30 11:51:37 | ] INFO | jvm 1 | 2016/08/30 11:51:37 | INFO | jvm 1 | 2016/08/30 11:51:37 | [2]: ObjectId: 2.5.29.37 Criticality=false INFO | jvm 1 | 2016/08/30 11:51:37 | ExtendedKeyUsages [ INFO | jvm 1 | 2016/08/30 11:51:37 | serverAuth INFO | jvm 1 | 2016/08/30 11:51:37 | ] INFO | jvm 1 | 2016/08/30 11:51:37 | INFO | jvm 1 | 2016/08/30 11:51:37 | [3]: ObjectId: 2.5.29.15 Criticality=true INFO | jvm 1 | 2016/08/30 11:51:37 | KeyUsage [ INFO | jvm 1 | 2016/08/30 11:51:37 | DigitalSignature INFO | jvm 1 | 2016/08/30 11:51:37 | Key_Encipherment INFO | jvm 1 | 2016/08/30 11:51:37 | ] INFO | jvm 1 | 2016/08/30 11:51:37 | INFO | jvm 1 | 2016/08/30 11:51:37 | [4]: ObjectId: 2.5.29.17 Criticality=false INFO | jvm 1 | 2016/08/30 11:51:37 | SubjectAlternativeName [ INFO | jvm 1 | 2016/08/30 11:51:37 | DNSName: GBNPPWXCH01 INFO | jvm 1 | 2016/08/30 11:51:37 | DNSName: GBNPPWXCH01.EXAMPLE.ORG INFO | jvm 1 | 2016/08/30 11:51:37 | ] INFO | jvm 1 | 2016/08/30 11:51:37 | INFO | jvm 1 | 2016/08/30 11:51:37 | ] INFO | jvm 1 | 2016/08/30 11:51:37 | Algorithm: [SHA1withRSA] INFO | jvm 1 | 2016/08/30 11:51:37 | Signature: INFO | jvm 1 | 2016/08/30 11:51:37 | 0000: 89 1C D2 82 70 D0 1E 8E 94 CE 3B 4E E7 CC 0D 9A ....p.....;N.... INFO | jvm 1 | 2016/08/30 11:51:37 | 0010: A1 99 66 6D F0 8D 74 AF F0 87 D2 49 6C B2 A8 F7 ..fm..t....Il... INFO | jvm 1 | 2016/08/30 11:51:37 | 0020: 49 EA F7 09 0A 7F 40 06 3B D2 EE 03 58 DE 7A 88 I.....@.;...X.z. INFO | jvm 1 | 2016/08/30 11:51:37 | 0030: E5 DD 3C 79 A4 AF 7A 7C 51 44 91 A1 5C 09 1E 3C ..<y..z.QD..\..< INFO | jvm 1 | 2016/08/30 11:51:37 | 0040: 74 D9 6C BD FB 3E B0 63 D2 33 20 03 5C 0F 64 94 t.l..>.c.3 .\.d. INFO | jvm 1 | 2016/08/30 11:51:37 | 0050: 3E ED CE F9 43 0A 73 8E EF F1 EE 09 D4 19 85 0B >...C.s......... INFO | jvm 1 | 2016/08/30 11:51:37 | 0060: 05 3E D6 84 22 51 D9 B1 7E C9 4A 26 8B E7 05 F0 .>.."Q....J&.... INFO | jvm 1 | 2016/08/30 11:51:37 | 0070: F9 AE D9 A1 90 EE C2 C1 1A CB E6 12 98 40 B3 0F .............@.. INFO | jvm 1 | 2016/08/30 11:51:37 | 0080: 31 DD 34 CF EC 69 C1 47 53 A8 3A 4F E0 D4 E7 D8 1.4..i.GS.:O.... INFO | jvm 1 | 2016/08/30 11:51:37 | 0090: 1B 77 5F 53 F4 48 FF 80 40 4F CB 23 0B 3E A9 F4 .w_S.H..@O.#.>.. INFO | jvm 1 | 2016/08/30 11:51:37 | 00A0: 2A 12 DA 5F B9 D7 A3 5A 4A 57 55 D9 BC FF 0E 2F *.._...ZJWU..../ INFO | jvm 1 | 2016/08/30 11:51:37 | 00B0: 0E 9D 93 17 3D D6 F8 FC 5D 35 FF 11 A4 13 69 80 ....=...]5....i. INFO | jvm 1 | 2016/08/30 11:51:37 | 00C0: BB 24 27 50 AD 2D 72 49 EB B1 BC CE F2 A0 7E 34 .$'P.-rI.......4 INFO | jvm 1 | 2016/08/30 11:51:37 | 00D0: FA 2B 09 40 A3 14 D9 30 DF 8D CC 07 03 C6 7A 42 .+.@...0......zB INFO | jvm 1 | 2016/08/30 11:51:37 | 00E0: 17 50 A2 46 B7 5D BB 49 A6 6A 69 60 22 99 0A 53 .P.F.].I.ji`"..S INFO | jvm 1 | 2016/08/30 11:51:37 | 00F0: 18 D1 2E 83 5E E1 B1 9A 5F 6F A8 7B 26 6A 38 F7 ....^..._o..&j8. INFO | jvm 1 | 2016/08/30 11:51:37 | INFO | jvm 1 | 2016/08/30 11:51:37 | ] INFO | jvm 1 | 2016/08/30 11:51:37 | *** INFO | jvm 1 | 2016/08/30 11:51:37 | Found trusted certificate: INFO | jvm 1 | 2016/08/30 11:51:37 | [ INFO | jvm 1 | 2016/08/30 11:51:37 | [ INFO | jvm 1 | 2016/08/30 11:51:37 | Version: V3 INFO | jvm 1 | 2016/08/30 11:51:37 | Subject: CN=GBNPPWXCH01 INFO | jvm 1 | 2016/08/30 11:51:37 | Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 INFO | jvm 1 | 2016/08/30 11:51:37 | INFO | jvm 1 | 2016/08/30 11:51:37 | Key: Sun RSA public key, 2048 bits INFO | jvm 1 | 2016/08/30 11:51:37 | modulus: 27320755516852566716893612596623657563967565702321529820218363149839879661520852516869231284999354421462458564354791103685857486090985343824135483829724998254141989863281421470175266219401999935253108368310305155654148701640223502187337046741588304977114810977721278079676710565864585830627512035161378022744145063487260045905332418803562718430526654266541375214179366980194542253597778228028763245917356508069037674502630410116527226623282369120455164132232033472063282371821250814151813045537188716323741432627086200497881863375444761181437328094272431186878161630021283904733373445318546834571927996371731540115117 INFO | jvm 1 | 2016/08/30 11:51:37 | public exponent: 65537 INFO | jvm 1 | 2016/08/30 11:51:37 | Validity: [From: Mon Oct 28 20:21:39 GMT 2013, INFO | jvm 1 | 2016/08/30 11:51:37 | To: Sun Oct 28 20:21:39 GMT 2018] INFO | jvm 1 | 2016/08/30 11:51:37 | Issuer: CN=GBNPPWXCH01 INFO | jvm 1 | 2016/08/30 11:51:37 | SerialNumber: [ 7d76451c 0a7cc28d 4510aefa 7f0a9776] INFO | jvm 1 | 2016/08/30 11:51:37 | INFO | jvm 1 | 2016/08/30 11:51:37 | Certificate Extensions: 4 INFO | jvm 1 | 2016/08/30 11:51:37 | [1]: ObjectId: 2.5.29.19 Criticality=true INFO | jvm 1 | 2016/08/30 11:51:37 | BasicConstraints:[ INFO | jvm 1 | 2016/08/30 11:51:37 | CA:false INFO | jvm 1 | 2016/08/30 11:51:37 | PathLen: undefined INFO | jvm 1 | 2016/08/30 11:51:37 | ] INFO | jvm 1 | 2016/08/30 11:51:37 | INFO | jvm 1 | 2016/08/30 11:51:37 | [2]: ObjectId: 2.5.29.37 Criticality=false INFO | jvm 1 | 2016/08/30 11:51:37 | ExtendedKeyUsages [ INFO | jvm 1 | 2016/08/30 11:51:37 | serverAuth INFO | jvm 1 | 2016/08/30 11:51:37 | ] INFO | jvm 1 | 2016/08/30 11:51:37 | INFO | jvm 1 | 2016/08/30 11:51:37 | [3]: ObjectId: 2.5.29.15 Criticality=true INFO | jvm 1 | 2016/08/30 11:51:37 | KeyUsage [ INFO | jvm 1 | 2016/08/30 11:51:37 | DigitalSignature INFO | jvm 1 | 2016/08/30 11:51:37 | Key_Encipherment INFO | jvm 1 | 2016/08/30 11:51:37 | ] INFO | jvm 1 | 2016/08/30 11:51:37 | INFO | jvm 1 | 2016/08/30 11:51:37 | [4]: ObjectId: 2.5.29.17 Criticality=false INFO | jvm 1 | 2016/08/30 11:51:37 | SubjectAlternativeName [ INFO | jvm 1 | 2016/08/30 11:51:37 | DNSName: GBNPPWXCH01 INFO | jvm 1 | 2016/08/30 11:51:37 | DNSName: GBNPPWXCH01.EXAMPLE.ORG INFO | jvm 1 | 2016/08/30 11:51:37 | ] INFO | jvm 1 | 2016/08/30 11:51:37 | INFO | jvm 1 | 2016/08/30 11:51:37 | ] INFO | jvm 1 | 2016/08/30 11:51:37 | Algorithm: [SHA1withRSA] <SNIP> ``` To get this I added the following to /opt/tomcat/conf/gluuTomcatWrapper.conf ``` wrapper.java.additional.8=-Djavax.net.debug=ssl:trustmanager ``` There are a ton of other options you can add to really give your log files a workout. Be aware that if tailing the log file, the volume of writes causes the log to rotate quite frequently so it may appear as though the tail or the process has hung. Hopefully this will prove useful to someone in the future. Simon