I've now managed to get an experimental copy of our development AWS EC2
instance working with a cert from Let's Encrypt, and I've got Tomcat to
launch with a modified connector that uses the LE certs rather than a
Java Keystore file.
It looks great from Firefox (except for the still-unanswered riddle of
the unwanted Tomcat update), but from Chrome, I get (domain name
"changed to protect the innocent"):
This site can’t provide a secure connection
test.foo.net uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher
suite.
The modified connector looks like this:
<Connector port="8443" proxyPort="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
compression="on" compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/x-javascript,application/javascript,application/json"
maxThreads="1000" socket.appReadBufSize="1024"
socket.appWriteBufSize="1024" bufferSize="1024" SSLEnabled="true"
scheme="https" secure="true">
<SSLHostConfig
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
certificateVerificationh="none" sslProtocol="TLS"
protocols="TLSv1.2">
<Certificate
certificateFile="/etc/tomcat8/test.foo.net.crt"
certificateKeyFile="/etc/tomcat8/test.foo.net.key"
certificateChainFile="/etc/tomcat8/test.foo.net.issuer.crt"/>
</SSLHostConfig>
</Connector>
Can anybody shed any light on what I did wrong?
--
James H. H. Lampert
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org