Tomcat/TomEE SSL config with Cloudflare

Question

I have been having problems with the correct way to configure tomee with cloudflare provided SSL. First time doing this, so here is the situation:

1) First i create the keystore file:

keytool -keysize 2048 -genkey -alias tomee -keyalg RSA -keystore tomee.keystore

2) Then i import the generated keystore:

keytool -importkeystore -srckeystore tomee.keystore -destkeystore tomee.keystore -deststoretype pkcs12

3) After importing, I create the CSR file for issuing a certificate request:

keytool -certreq -keyalg RSA -alias tomee -file FQDN.csr -keystore tomee.keystore

4) Then i go into cloudflare > ssl/tls > origin server > create certificate > select "I have my own private key and csr" > then i paste the FDQN.csr content in the text area > click next > finally i receive the PEM contents which i save on my server as FQDN.pem

5) Import the FQDN.pem into the keystore as a trusted certificate:

keytool -import -alias tomee -keystore tomee.keystore -trustcacerts -file FQDN.pem

6) Copy the tomee.keystore file into the tomee conf dir

7) Lastly I configure server.xml for tomee like so:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" 
            compression="on"  scheme="https" secure="true" keystoreFile="conf/tomee.keystore"
            keystorePass="myPasswordHere"
            SSLVerifyClient="none" SSLProtocol="TLSv1.2"
/>

8) Here i encounter the problem: Restart tomcat and issue a request over port 8443. It works but the certificate shows as invalid. And viewing the certificate, I get this: "This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store."

As i see, by documentation HERE - Add Cloudflare Origin CA root certificates, i may need to add additional configurations with the provided files. Do i understand correctly or am i missing something? If so - what would those configs look like? Should i be doing something like in the demonstrated format in the server.xml file, like so:( or is that a completely different thing?)

<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
           maxThreads="150" SSLEnabled="true" >
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" xpoweredBy="false" server="Apache TomEE" />
    <SSLHostConfig>
        <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                     certificateFile="conf/localhost-rsa-cert.pem"
                     certificateChainFile="conf/localhost-rsa-chain.pem"
                     type="RSA" />
    </SSLHostConfig>
</Connector>

Interestingly there is not that much info on this online and i have been struggling to understand the problem for quite a few days now. Any light shed on this would be helpful.

Kudos to people who posted a similar topic HERE

Answer 1

Managed to solve it. To anyone interested, there were 2 problems:

1) Before performing step 5) for tomcat/tomee webservers, you need to add a trusted root certificate, with the cloudflare provided key from HERE(Configure the SSL/TLS mode in the Cloudflare SSL/TLS app).

keytool -import -alias root -keystore tomee.keystore -trustcacerts -file origin_ca_rsa_root.pem

Then add your aliased rsa to the keystore as in 5).

2) Other problem was with an overlooked CN config on cloudflare DNS settings, so check your configs.

Hope this helps someone :)