Search code examples
ssl-certificateubuntu-16.04tomcat8

Letsencrypt/SSL Tomcat8 Ubuntu 16.04

I have followed some guides on the internet but I am stuck now as none of what they told me to do works from this point on.

I have Ubuntu 16.04 with a Tomcat8. I have deployed an application in Tomcat's webapps and it works fine on http. Then I used letsencrypt to get a certificate and after validating my Tomcat's settings, it gave me 4 .pem files.

  • chain.pem

  • fullchain.pem

  • cert.pem

  • privkey.pem

Now I don't understand how to link/use them in my Tomcat/conf/server.xml in order to be able to access the application on port 443/8443. I have already put in a portforwarding for 443 to 8443 as I installed the Tomcat-service with a non-root user. I put the .pem files into the conf-folder of my Tomcat, so server.xml is right next to them.

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
           maxThreads="150" SSLEnabled="true" >
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <SSLHostConfig>
        <Certificate certificateKeyFile="conf/privkey.pem"
                     certificateFile="conf/cert.pem"
                     certificateChainFile="conf/chain.pem"
                     type="RSA" />
    </SSLHostConfig>
</Connector>

This is my current setting in my server.xml file but it is not working. The presetting had no place for the "fullchain.pem" either and I don't know whether I need to change the lines with "org.apache" in them as I got no clue what those actually do.

Thanks in advance. I managed to do a self-signed certificate on Windows and Ubuntu, but you always get this insecure-warning then. I was told this doesn't happen with letsencrypt.

Solution

  • I will write how I managed to install it:

    Download certbot:

    $ wget https://dl.eff.org/certbot-auto<br/>
$ chmod a+x certbot-auto

    Fetch the certificates:

    $ sudo /path/to/certbot-auto certonly --webroot -w /path/to/apache-tomcat-8.5/webapps/ROOT -d example.com

    Your certificates will be downloaded into this folder: "/etc/letsencrypt/live/YOUR_WEBSITE_HERE/"

    Edit the HTTPS connector in the server.xml like this

    <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true">
  <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
  <SSLHostConfig>
  <Certificate 
 certificateKeyFile="/etc/letsencrypt/live/YOUR_WEBSITE_HERE/privkey.pem" 
 certificateFile="/etc/letsencrypt/live/YOUR_WEBSITE_HERE/cert.pem" certificateChainFile="/etc/letsencrypt/live/YOUR_WEBSITE_HERE/chain.pem" 
 type="RSA" />
</SSLHostConfig>
</Connector>

    Let’s Encrypt certificates are usually valid for 90 days, hence you need to renew them periodically. Add the following line to crontab to do so:

    0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && ./path/to/certbot-auto renew

    I've also written a blog post about it which you can find here: https://www.gasimof.com/blog/enable-https-for-free-for-tomcat/