I have an application (TIBCO Spotfire,which is using Tomcat as server) running on an AWS Windows Instance (Windows Server 2012 R2). I have pointed my application URL to one of my domain hosted on Cloudflare. Now, I’m trying to achieve SSL connection in Full Strict mode.
I have installed origin ca certificate in Tomcat, but while visiting the URL for my application, I’m getting an error message saying Error - 521. Web server down. I have whitelisted the Cloudflare’s IP and I can access this URL,if I enabled self signed certificate and change SSL mode to Full instead of Full Strict.
Today, I tested this on one of my test domains and getting 521 error, even on SSL Full mode with origin CA certificate. But this is working well,if I’m using self-signed certificate. So, I think, the issue could be something with certificate installation. My domain is reports.s2sacademy.co.uk.
Basically, I have generated two files as part of origin ca certificates- .p7b and .key.
I went through the installation steps provided but no where, it is mentioning about making use of .key file. The steps I followed during certificate installation is as below:
Created keystore as follows:
C:\tibco\tss\10.4.0\jdk\bin\keytool -genkey -alias s2sacademy.co.uk -keyalg RSA -keysize 2048 -keystore report.s2sacademy.co.uk.jks
Tried to import certificate as below, but returned an error:
Could you please let me know the detailed steps? The documentation provided my Cloudflare is not much helpful here. Please let me know how to import or resolve any format errors,in a step by step manner? Do we need to make use of .key file or only .pem/.p7b file is enough?
Also, I’m not sure if server is actually not reachable, because if I’m using a self-signed certificate and SSL is in Full mode instead of Full Strict, I’m able to access the server.
I have already contacted vendor, but they are asking me to contact Cloudflare, as this is Cloudflare certificate. May I know, how usually the certificates should be installed? Do we need to make use of .key file provided by Cloudflare while generating Origin CA certificate. Also, some documents mention about intermediate certificates? from where can I find that?
Well, there is nothing running on that address. Neither HTTP nor HTTPS.
That is rather irrelevant in this case I am afraid. A certificate is a certificate and your vendor should assist you in importing it. There are three different formats which Cloudflare offers, PEM, DER and PKCS7. If one of that is supported by our software you should choose that format. Otherwise you will have to convert it first.
Basically, my application is hosted on an AWS instance and the instance might not be running while you were trying. I just started the instance. Could you please try again?
Regarding the certificates, could you please provide me a basic understanding on how to install certificates. Do we always need to supply .key file for certificate installation or only .pem file is enough? Also, any intermediate certificates are required?
I checked the certificate provided by Cloudflare in the below tool and it is indicating that this requires some intermediate certificate. Please let me know where can I find this intermediate certificate and please share the steps for installing this.
Or are you saying it is running fine when you have your self-signed certificate, but currently not running at all because you dont have a valid certificate? That would be a completely different issue then and the 521 wouldnt be a surprise of course.
However the issue then is not to fix the 521, but to configure your server properly to accept the certificate. Which, again, brings us back to your vendor
I presume the .key file will be your private key. If it is, you will need to configure this on your server, so that it can properly access it. Again, this rather is a question for your software vendor.