I am trying to set up my web site to use letsencrypt on windows running tomcat. I could not find a clear document how this should be done. There are several web pages that people talked about how they did it but I don't quite understand why they did it that way. Here is what I have. Please let me what I did wrong or missed any steps.
The environment: Windows 10 Tomcat 7 JRE 1.7 letsencrypt-simple latest beta
I first ran letsencrypt.exe, choose generate certificate manually, filling in all the questions. When the exe executed, it created a bunch of files and certificates under the folder:
httpsacme-v01.api.letsencrypt.org
In this folder, there is a certificate file which I believe is what I need. The name is www.mydomain.com-chain.pem
Then run the following command: "%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -ext san=dns:www.mydomain.com -keyalg RSA -keystore .\my.keystore
Run this command to check the created keystore: "%JAVA_HOME%\bin\keytool" -list -keystore .\tstm.keystore It has 1 entry, the private key
Then I ran the following command to import the chain.pem file into the keystore: "%JAVA_HOME%\bin\keytool" -import -alias root -keystore .\my.keystore -trustcacerts -file "C:\Users\abc\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org"\www.mydomain.com-chain.pem
This appears to be successful and added certs into the keystore file. When checking again, it has two entries.
Then I used the keystore and password in my Tomcat's connector.
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
clientAuth="false" sslProtocol="TLS" SSLEnabledProtocols="TLSv1.2"
keystoreFile="C:\ProgramData\letsencrypt-win-simple\my.keystore" keystorePass="changeit"/>
However, when connecting from client, the browsers don't think the certificate is valid and always giving warnings that the site is not secure. I can see the certificate I created in browser, so I assume that I didn't build up the cert chain properly. Any help is appreciated!
Thanks!