Simplest guide to config tomcat to use https with lets encrypt’s free cert

Support you have generate a standalone cert using certbot command, and your cert is in /etc/letsencrypt/live/ . If not, follow this https://www.digitalocean.com/community/tutorials/how-to-use-certbot-standalone-mode-to-retrieve-let-s-encrypt-ssl-certificates-on-ubuntu-16-04

Execute openssl command and remember your password

openssl pkcs12 -export -out /tmp/tomcat.quantr.hk_fullchain_and_key.p12 \
    -in /etc/letsencrypt/live/quantr.hk-0001/fullchain.pem \
    -inkey /etc/letsencrypt/live/quantr.hk-0001/privkey.pem \
    -name tomcat
keytool -importkeystore \
    -deststorepass <password> -destkeypass <password> -destkeystore /tmp/tomcat.quantr.hk.jks \
    -srckeystore /tmp/tomcat.quantr.hk_fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass <password> \
    -alias tomcat
cp /tmp/tomcat.quantr.hk.jks /home/tomcat.quantr.hk/apache-tomcat-9.0.29/conf
chmod o-rwx /home/tomcat.quantr.hk/apache-tomcat-9.0.29/conf/tomcat.quantr.hk.jks

Edit tomcat’s conf/server.xml, you just need one connector to serve 8443, no need other conntector

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/tomcat.quantr.hk.jks" certificateKeystorePassword="<password>"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

Restart your tomcat, it is done. Below is the virtualhost to forward https connection from apache to tomcat, this step is optional, only need if you use apache for public facing server.

<VirtualHost *:443>
        ProxyRequests Off
        SSLEngine On
        SSLProxyEngine On
        SSLProxyVerify none
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off

        SSLCertificateFile /etc/letsencrypt/live/quantr.hk-0001/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/quantr.hk-0001/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf

    ProxyPreserveHost On
    ProxyPass / https://localhost:8443/
    ProxyPassReverse / https://localhost:8443/
    ServerName tomcat.quantr.hk
    ErrorLog ${APACHE_LOG_DIR}/tomcat.quantr.hk-error.log
    CustomLog ${APACHE_LOG_DIR}/tomcat.quantr.hk-access.log common
</VirtualHost>

Leave a Reply

Your email address will not be published. Required fields are marked *