Obtaining an SSL cert for a domain hosted zone in AWS Route 53

0
votes

The title of the question is a mouthful, but I am trying to configure a Go Daddy SSL cert which I purchased for my domain on AWS. I purchased the domain myapp.com (not the real name) from AWS, and then I configured myapp.myapp.com as a record set in Route 53 to point to an EC2 instance, which in turn is running the actual Tomcat server which I expect users would be hitting. In other words, this is the site used to hit the app/website, and I have confirmed that it works and is reachable.

I purchased an SSL cert from Go Daddy for myapp.myapp.com. I followed the instructions to import the root, intermediate, and issued certificates (3 in total) into my Java keystore. Then, I configured my Tomcat server.xml to use this keystore. I am not certain that I did this correctly, or in the correct order, if that matters. In any case, when I try to hit the address

https://myapp.myapp.com:8443/

I get the following error on Chrome:

Your connection is not private
NET::ERR_CERT_AUTHORITY_INVALID

Can anyone shed some light on what I might be doing wrong here? Go Daddy's customer support, while free, does not offer this level of tech support. I could go with AWS, but they tend to charge enterprise rates.

An ideal answer would include, at least as an outline, the following steps:

  1. How to import the Go Daddy certs into my Java keystone
  2. How to configure Tomcat server.xml properly to use the keystore
  3. Sanity checks along the way, which someone else with a similar problem would be able to use

Here are the three certs which Go Daddy returned to me:

c4c170b79c58acc3.crt  (root?)
gd_bundle-g2-g1.crt   (intermediate?)
gdig2.crt.pem         (primary/issued?)

I am not sure which of these certs are root, intermediate, and issued, but this SO question would label them as I have above.

1
amazon-web-servicesssldns
Your next step should be to open the SSL certificate details in the browser and see exactly why it thinks the SSL certificate is invalid.Mark B
Do you have Apache in front of Tomcat? While a little bit more complicated it means that Tomcat doesn't run as root and you don't have to go through the Java keystore dance.stdunbar
Are there startup errors in tomcat logs? If you can see the cert details in Chrome, as @MarkB suggested, your server is configured correctly and the problem might be with Chrome. For instance, it may decide your CA is not trustable.jingx
Did you try it in another browser? I just had a cert warning in Chrome for no apparent reason, and it worked in Firefox.jingx
@Tim, is this a spring boot app?Yogesh_D

1 Answers

0
votes

To do this for a spring boot app do the following:

sudo openssl pkcs12 -export -out cs.pkcs12 -inkey /path/to/domain.key -in /path/to/domain.cer -certfile /path/to/domain.ca-bundle -name server -passout somestorepass

sudo keytool -v -importkeystore -srckeystore cs.pkcs12 -srcstoretype PKCS12  -destkeystore keystore.jks -deststoretype JKS  -srcstorepass somestorepass -deststorepass somestorepass

in application.properties

server.ssl.enabled=true
server.ssl.key-alias=server
server.ssl.key-password=somestorepass
server.ssl.key-store-type=JKS

If you have tomcat, the first two commands stay the same, you just need to configure tomcat to to use the correct alias and the correct key store password.

Have a look at the Connector configuration for tomcat to configure the alias, keystore password, keystore etc.

Edit: Would recommend that you delete the intermediate files (not the JKS) once done.