amazon web services - AWS Tomcat SSL browser errors - what have I missed? -


i'm attempting set tls (ssl) domain hosted on aws bitnami users can access on https. running on apache tomcat standalone , not fronted lb.

to generate certificate signing request (csr) have:

sudo openssl genrsa -out /opt/bitnami/apache-tomcat/conf/server.key 2048 

and entered correct information i.e. hostname in www.hostname.com format, then:

sudo openssl req -new -key /opt/bitnami/apache-tomcat/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr 

following have copied .csr file contents ca (ssl.comodo.com) & saved resulting files: .ca-bundle , .crt file.

following have uploaded files tomcat directory , loaded them java keystore:

keytool -import -trustcacerts -alias root -file www_domainname_com.ca-bundle -keystore keystore.jks 

and .crt:

keytool -import -trustcacerts -alias tomcat -file www_domainname_com.crt -keystore keystore.jks 

tomcat configured use keystore following config in server.xml:

<connector port="443" protocol="org.apache.coyote.http11.http11nioprotocol" maxthreads="150" sslenabled="true" scheme="https" secure="true" clientauth="false" keystorefile="/home/bitnami/keystore.jks" keystorepass="passwordhere" sslprotocol="tls"/> 

then apache has been restarted. browser errors receive are:

chrome:

uses unsupported protocol. err_ssl_version_or_cipher_mismatch

firefox:

no common encryption algorithm(s). error code: ssl_error_no_cypher_overlap

my thoughts

based on stack overflow question here think may have rsa - when generate new keystore -keyalg rsaparameter: $java_home/bin/keytool -genkey -alias tomcat -keyalg rsa , point tomcat server.xml ssl config site loads on https , warnings in browser telling me self-signed certificate.

if want generate using openssl, must convert private key , certificate chain, not certificate(s) alone, java-usable keystore, either pkcs12 or jks.

if want generate using java, use keytool -genkeypair -keyalg rsa (and before j7 add -keysize 2048), then use java keytool generate csr give ca (comodo), , use java keytool import new cert , chain ca.

see options @ (my) https://stackoverflow.com/a/37423399/2868801 , several additional dupes linked there.


Comments