Thomas wrote…
This means, the calling program can't verify the certificate.
Check whether all the intermediates are delivered by tomcat.
Furthermore, the calling program must know the root-certificate of your
webserver certificate.
If I look at a random website using 'openssl s_client -showcerts
-connect’ then I get the server certificate plus two others:
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = xxx.mydomain.com
If I use the same command with the Tomcat servlet then it gives the
following:
verify error:num=20:unable to get local issuer certificate
verify return:1
verify error:num=21:unable to verify the first certificate
verify return:1
The chain should be “Go Daddy Secure Certificate Authority - G2” and “Go
Daddy Root Certificate Authority - G2” according to the browser.
My guess is that the .pfx file that Tomcat is using doesn’t include
them.
-Andy.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org