Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Install SSL on EC2 Tomcat server

I'm trying to get a CA cert/SSL working on an AWS EC2 instance with Ubuntu and Tomcat 7.0.52. Browser's fail to connect. Here are the steps I went thru:

keytool -genkey -alias mydomain -keyalg RSA -keystore mydomain.keystore -keysize 2048
<fill out information>

keytool -certreq -keyalg RSA -alias mydomain -file certreq.csr -keystore ../mydomain.keystore

submit csr to ssls.com/Geotrust, and receive back: bundle.crt www.mydomain.net.crt

import certs into keystore:

keytool -import -trustcacerts -alias root -keystore ../mydomain.keystore -file bundle.crt
keytool -import -alias mydomain -keystore ../mydomain.keystore -file www.mydomain.net.crt

next, update $TOMCAT_HOME/config/server.xml:

<Connector port="8080" protocol="HTTP/1.1"
       connectionTimeout="20000"
       redirectPort="443" />
<Connector port="8443" SSLEnabled="true"
       maxThreads="150" scheme="https" secure="true"
       keystoreFile="/home/ubuntu/mydomain.keystore" 
       keystorePass="xxxxxxx"
       clientAuth="false" sslProtocol="TLS" />

and restart tomcat.

EC2 instance with security groups are set up to allow port 80 and 443.

ipables changes made to redirect 80->8080 and 443->8443:

sudo iptables -t nat -n -L PREROUTING --line-numbers
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 redir ports 8443
2    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 8080

DNS for www.mydomain.net is not yet in place, so I'm currently testing with a modified /etc/hosts:

54.200.126.130  www.mydomain.net
54.200.126.130  mydomain.net

sslscan does not return any valid ciphers. They are all listed as "Rejected".

openssl test:

openssl s_client -connect www.mydomain.net:443
CONNECTED(00000003)
64007:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:602:

switching to a self-signed cert generated with keytool works fine (other than the obligatory browser warning). So it seems the issue must be with the certs and/or keystore, but I'm not sure what the issue is.

like image 565
ax123man Avatar asked Apr 02 '14 01:04

ax123man


People also ask

How do I add an SSL to my EC2 instance?

There are three steps to install an SSL/TLS certificate on your EC2 Windows instance: Create a Certificate Signing Request (CSR) and request your SSL certificate. Install your SSL certificate. Assign the SSL certificate to your IIS deployment.

Does EC2 have SSL certificate?

Nitro Enclaves is an Amazon EC2 capability that enables creation of isolated compute environments to protect and securely process highly sensitive data, such as SSL/TLS certificates and private keys.

Does Tomcat use SSL?

If you're using Apache Tomcat, chances are that at least some of the data you're handling is sensitive, and SSL is an easy way to offer your users security. The good news is that Tomcat fully supports the SSL protocol.


2 Answers

Tomat assumes a keystore alias of "tomcat" unless you specify the keyAlias attribute on the Connector. Just add keyAlias=mydomain, or rename your alias to "tomcat" with the keytool.

like image 94
user207421 Avatar answered Oct 22 '22 06:10

user207421


Tomcat docs say of keyAlias: "If not specified the first key read in the keystore will be used.", but it's a good catch. However, it didn't solve all my issues. I contacted GeoTrust and they recommended downloading a PKCS #7 cert, which worked. Odd, given that tomcat docs say "Tomcat currently operates only on JKS, PKCS11 or PKCS12 format keystores". In the end it was two support chats with the CA, stack overflow post with bounty, hours of openssl and keytool testing. Lesson learned: it appears the CA's, given they get the support calls, have the best documentation for this (not tomcat).

https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO15323

like image 28
ax123man Avatar answered Oct 22 '22 07:10

ax123man