amazon web services - AWS Tomcat SSL browser errors - what have I missed? -
i'm attempting set tls (ssl) domain hosted on aws bitnami users can access on https. running on apache tomcat standalone , not fronted lb.
to generate certificate signing request (csr) have:
sudo openssl genrsa -out /opt/bitnami/apache-tomcat/conf/server.key 2048 and entered correct information i.e. hostname in www.hostname.com format, then:
sudo openssl req -new -key /opt/bitnami/apache-tomcat/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr following have copied .csr file contents ca (ssl.comodo.com) & saved resulting files: .ca-bundle , .crt file.
following have uploaded files tomcat directory , loaded them java keystore:
keytool -import -trustcacerts -alias root -file www_domainname_com.ca-bundle -keystore keystore.jks and .crt:
keytool -import -trustcacerts -alias tomcat -file www_domainname_com.crt -keystore keystore.jks tomcat configured use keystore following config in server.xml:
<connector port="443" protocol="org.apache.coyote.http11.http11nioprotocol" maxthreads="150" sslenabled="true" scheme="https" secure="true" clientauth="false" keystorefile="/home/bitnami/keystore.jks" keystorepass="passwordhere" sslprotocol="tls"/> then apache has been restarted. browser errors receive are:
chrome:
uses unsupported protocol. err_ssl_version_or_cipher_mismatch
firefox:
no common encryption algorithm(s). error code: ssl_error_no_cypher_overlap
my thoughts
based on stack overflow question here think may have rsa - when generate new keystore -keyalg rsaparameter: $java_home/bin/keytool -genkey -alias tomcat -keyalg rsa , point tomcat server.xml ssl config site loads on https , warnings in browser telling me self-signed certificate.
if want generate using openssl, must convert private key , certificate chain, not certificate(s) alone, java-usable keystore, either pkcs12 or jks.
if want generate using java, use keytool -genkeypair -keyalg rsa (and before j7 add -keysize 2048), then use java keytool generate csr give ca (comodo), , use java keytool import new cert , chain ca.
see options @ (my) https://stackoverflow.com/a/37423399/2868801 , several additional dupes linked there.
Comments
Post a Comment