Search Posts

Simplest guide to config tomcat to use https with lets encrypt’s free cert

Support you have generate a standalone cert using certbot command, and your cert is in /etc/letsencrypt/live/ . If not, follow this

Execute openssl command and remember your password

openssl pkcs12 -export -out /tmp/tomcat.quantr.hk_fullchain_and_key.p12 \
    -in /etc/letsencrypt/live/ \
    -inkey /etc/letsencrypt/live/ \
    -name tomcat
keytool -importkeystore \
    -deststorepass <password> -destkeypass <password> -destkeystore /tmp/ \
    -srckeystore /tmp/tomcat.quantr.hk_fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass <password> \
    -alias tomcat
cp /tmp/ /home/
chmod o-rwx /home/

Edit tomcat’s conf/server.xml, you just need one connector to serve 8443, no need other conntector

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
            <Certificate certificateKeystoreFile="conf/" certificateKeystorePassword="<password>"
                         type="RSA" />

Restart your tomcat, it is done. Below is the virtualhost to forward https connection from apache to tomcat, this step is optional, only need if you use apache for public facing server.

<VirtualHost *:443>
        ProxyRequests Off
        SSLEngine On
        SSLProxyEngine On
        SSLProxyVerify none
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off

        SSLCertificateFile /etc/letsencrypt/live/
        SSLCertificateKeyFile /etc/letsencrypt/live/
        Include /etc/letsencrypt/options-ssl-apache.conf

    ProxyPreserveHost On
    ProxyPass / https://localhost:8443/
    ProxyPassReverse / https://localhost:8443/
    ErrorLog ${APACHE_LOG_DIR}/
    CustomLog ${APACHE_LOG_DIR}/ common

Leave a Reply

Your email address will not be published. Required fields are marked *