Since my site ssl cert was expired I've renewed it and added new cert to keystore, but after that I am getting 502 when called the site url. Below you can see nginx config and tomcat configs for ssl.
Error I am getting in nginx error log is
SSL_do_handshake() failed (SSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure) while SSL handshaking to upstream, client: 120.6.20.134, server: app.somewhere.com, request: "GET /favicon.ico HTTP/2.0", upstream: "https://53.10.10.10:8443/favicon.ico", host: "app.somewhere.com", referrer: "https://app.somewhere.com/board/index.jsp"
server nginx version: nginx/1.12.1
nginx config
server {
listen 443;
server_name app.somewhere.com;
root /usr/share/tomcat8/webapps;
ssl on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_certificate /opt/jdk1.8.0_45/jre/lib/security/app_somewhere_com.pem;
ssl_certificate_key /opt/jdk1.8.0_45/jre/lib/security/app_somewhere_com.key;
ssl_dhparam /etc/nginx/certs/dhparam.pem;
proxy_ssl_server_name on;
location / {
proxy_read_timeout 120s;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://app.somewhere.com:8443;
}
}
tomcat server.xml
<Connector port="8443"
maxThreads="100"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="/opt/jdk1.8.0_45/jre/lib/security/my-keystore.jks"
protocol="org.apache.coyote.http11.Http11NioProtocol"
keystorePass="mypass"
clientAuth="false"
sslProtocol="TLS"
proxyPort="443"/>
keytool7 -list -keystore "/opt/jdk1.8.0_45/jre/lib/security/my-keystore.jks"
Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry myapp, Feb 1, 2018, trustedCertEntry, certificate fingerprint (SHA1): B1....
to import certificate to keystore I ran below command.keytool7 -import -trustcacerts -alias myapp -file "mycert.crt" -keystore "/opt/jdk1.8.0_45/jre/lib/security/my-keystore.jks"
I am sure other than that I did nothing. @steffen-ullrich