many of clients are not able to access my website
My domain is: https://server3.webapp.org.in
My web server is (include version): Tomcat 9
The operating system my web server runs on is (include version): Windows Server 2012
My hosting provider, if applicable, is: Self Hosted VPS Server
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): win-acme.v2.1.18.1119.x64.trimmed
1 Like
Welcome to the Let's Encrypt Community, Ajay
I have constructed the certificate chain file that you need. It is R3 signed by ISRG Root X1 and ISRG Root X1 signed by DST Root CA X3 .
Download it from here:
chain.pem (3.7 KB)
This discussion provides a great explanation of the modern way:
This official guide provides the directives you need:
http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_Certificate
Pay special attention to:certificateFilecertificateChainFilecertificateKeyFiletype
If you use certbot:certificateFile = cert.pemcertificateChainFile = chain.pemcertificateKeyFile = privkey.pemtype = RSA
The win-acme files should map similarly.
2 Likes
You need to use the correct files for your Tomcat configuration, in this case the -chain.pem file and -key.pem: https://www.win-acme.com/reference/plugins/store/pemfiles
If you just use the .crt file you won't be serving the intermediate certificates required for the chain.
3 Likes
Good observation, @webprofusion . I missed the win-acme part. The mapping to the Tomcat settings should still hold though.
3 Likes
Thank you for your answer sir, but above chain.pem file doesn't work for me
when i am using this chain file it works but not for all android mobile/clients_.webapp.org.in-chain-copy.pem (3.6 KB)
please help
1 Like
Thank you for your suggestion sir, below is my tomcat configuration
Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true"
UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
SSLHostConfig
Certificate certificateKeyFile="confssl_.webapp.org.in-key.pem"
certificateFile="confssl_.webapp.org.in-chain.pem"
type="RSA"
SSLHostConfig
Connector
1 Like
The "no secure protocols supported" has NOTHING to do with your chain file. It is because your Tomcat is configured to support too few cipher suites.
This will help you to properly configure your Tomcat cipher suites:https://ssl-config.mozilla.org/#server=tomcat&version=9.0.30&config=intermediate&hsts=false&guideline=5.6
2 Likes
Thanks a lot sir, your chain.pem file and below configuration works for me. You are genius.
#SSLHostConfig ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"#Certificate .webapp.org.in-crt.pem" .webapp.org.in-chain.pem"
1 Like
You are quite welcome.
That is a very wise question.
I'm not exactly sure how you've got your win-acme configured to acquire your certificate, but since you're using a wildcard certificate, you are clearly fulfilling a dns-01 challenge .
This page offers instructions for dns challenge automation for various DNS providers:
If none of those work for your purposes, you might consider using acme-dns:
1 Like
Regarding acme-dns as a way to automate DNS challenges, also check out Certify DNS which is a managed cloud implementation of acme-dns and can be used with various acme-dns compatible clients (not just Certify The Web) certifydns | Certify The Web Docs
2 Likes
system
August 9, 2021, 2:48am
11
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
