I have a Java web application running on a Debian virtual machine on GCE. I'm not sure whether this is relevant (i dont think it is, just in case) - i'm using Vaadin 8 in this system, and thus any HTTP calls to it are handled by a Vaadin servlet.
For SSL certification, i ran the openssl commands in self-signed SSL certificate on GCE -- 'SSL certificate could not be parsed' to get CA authorization and generate SSL certification myself. So by this, I'm certifying my SSL by first being a certified authority.
After the commands in self-signed SSL certificate on GCE -- 'SSL certificate could not be parsed', i followed the instructions at https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html and did the following:
ran the following two commands without error:
keytool -genkey -alias myalias -keyalg RSA
openssl pkcs12 -export -in mySite.com.pem -inkey mySite.com.key -out mycert.p12 -name myalias -CAfile msite.CA.pem -caname root -chain
The second command generated mycert.p12 in the directory.
I then configured server.xml. Following are all the configuration tags there are now in server.xml.
<Service name="Catalina">
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/root/.keystore" keystorePass="myPasswd"
clientAuth="false" sslProtocol="TLS"/>
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
<Connector port="443" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
…
</Service>
Replaced this with the server.xml in conf directory of Tomcat. Restarted Tomcat. Called my application in Firefox - still seeing the SSL warning:
As far as i can see, this didn't work because
- I'm missing something on the configuration of the certificate on Tomcat -- not sure i did things right on
server.xml. i didnt do anything elsewhere on Tomcat. - I did all the configuration right, but Firefox isn't accepting SSL signed by a not-known authority.
I'm not sure (2) can be. the blogs i read tell that generating the .pem file connects it to publicized CA-s and should be OK(?)
Any help would be appreciated. this been eating my time for days - i dont know much about SSL or any security matters -- dont even know where to go from here!
Note: seen Installing SSL certificate on JBoss among some other useful discussions.
//----------------
EDIT:
pls also note; I see no errors on catalina.out.
//----------------
EDIT-2:
i'm getting the security warning above (the screenshot image) when I call by http://.. in Firefox. the call https://.. is giving the following error:
