I'm attempting to set up TLS (SSL) with my domain hosted on AWS Bitnami so that users can access it over HTTPS. It is running on Apache Tomcat standalone and is not fronted by a LB.
To generate the Certificate Signing Request (CSR) I have:
sudo openssl genrsa -out /opt/bitnami/apache-tomcat/conf/server.key 2048
And entered all the correct information i.e. hostname in www.hostname.com format, then:
sudo openssl req -new -key /opt/bitnami/apache-tomcat/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr
Following that I have copied to the .csr file contents to the CA (ssl.comodo.com) & saved the resulting files: .ca-bundle and .crt file.
Following that I have uploaded the files to the Tomcat directory and loaded them into the Java keystore:
keytool -import -trustcacerts -alias root -file www_domainname_com.ca-bundle -keystore KeyStore.jks
and the .crt:
keytool -import -trustcacerts -alias tomcat -file www_domainname_com.crt -keystore KeyStore.jks
Tomcat is configured to use this keystore with the following config in server.xml:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" keystoreFile="/home/bitnami/KeyStore.jks" keystorePass="passwordhere" sslProtocol="TLS"/>
Then apache has been restarted. The browser errors that I receive are:
Chrome:
uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Firefox:
no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
My thoughts
Based on this Stack Overflow question here I think this may have something to do with RSA - when I generate a new keystore with the -keyalg RSAparameter:
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA and point the Tomcat server.xml SSL config to that the site loads over HTTPS and I get warnings in the browser telling me that it is a self-signed certificate.
