Apache Tomcat is a web server and servlet container that is used to serve Java applications. Tomcat is an open source implementation of the Java Servlet and JavaServer Pages technologies, released by the Apache Software Foundation.

Configure Tomcat Server to use Letsencrypt

This is a documentation of lessons learned from deploying ODKAggregate tomcat application and Letsencrypt SSL certificate.

The setup was based on CentOS 7 server and Tomcat 7.0.69

Tomcat installation

# yum -y install tomcat tomcat-docs-webapp tomcat-javadoc tomcat-webapps tomcat-admin-webapps

Configure JAVA PATH

# yum install java-1.8.0-openjdk java-1.8.0-openjdk-devel
# update-alternatives --config java
# update-alternatives --config javac
# ls -l  /usr/lib/jvm

cat >>/etc/bashrc<<EOF
export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk
export PATH=$JAVA_HOME/bin:$PATH
EOF

# source /etc/bashrc
# echo $JAVA_HOME
# java -version

Tomcat JAVA options file is /etc/tomcat/tomcat.conf, example config:

JAVA_OPTS="-Xms1024m -Xmx7328m -XX:MaxPermSize=5898m -XX:+CMSClassUnloadingEnabled -XX:+CMSPermGenSweepingEnabled"

If you would like to add admin user to manage Tomcat with GUI, this is done on file /usr/share/tomcat/conf/tomcat-users.xml under section:

<tomcat-users>
...
</tomcat-users>

Example:

<tomcat-users>
    <user username="admin" password="password" roles="manager-gui,admin-gui"/>
</tomcat-users>

Installing Letsencrypt

wget https://dl.eff.org/certbot-auto -P /usr/local/bin
chmod a+x /usr/local/bin/certbot-auto

Request Letsencrypt ssl certificate for domain

firewall-cmd --add-service https --permanent
firewall-cmd --reload
certbot-auto certonly -d odk2.domain.com

SSL contents will be located under /etc/letsencrypt/live/odk2.domain.com/

create a PKCS12 that contains both your full chain and the private key

openssl pkcs12 -export -out /tmp/odk2.domain.com_fullchain_and_key.p12 \
    -in /etc/letsencrypt/live/odk2.domain.com/fullchain.pem \
    -inkey /etc/letsencrypt/live/odk2.domain.com/privkey.pem \
    -name tomcat

Convert that PKCS12 to a JKS

keytool -importkeystore \
    -deststorepass ughubieVahfaej5 -destkeypass ughubieVahfaej5 -destkeystore odk2.domain.com.jks \
    -srckeystore odk2.domain.com_fullchain_and_key.p12  -srcstoretype PKCS12 -srcstorepass ughubieVahfaej5 \
    -alias tomcat

Replace ughubieVahfaej5 with your password

Configure tomcat server

# vim /etc/tomcat/server.xml

Ensure the following section is commented out

  <!---
    <Connector port="8080" protocol="HTTP/1.1"
            connectionTimeout="20000"
            redirectPort="8443" />
    -->

Configure connector to use shared thread pool

 <Connector executor="tomcatThreadPool"
            port="8080" protocol="HTTP/1.1"
            connectionTimeout="20000"
            redirectPort="8443" />

Next is to define SSL HTTP/1.1 Connector on port 8443

 <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
            maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
            keystoreFile="/etc/ssl/odk2.domain.com.jks"
            keystorePass="ughubieVahfaej5"
            clientAuth="false" sslProtocol="TLS" />

With above configuration, http to https redirect will be done automatically for the application, which can be accessed at:

http://server_IP_address:8080

Manager App

http://server_IP_address:8080/manager/html