You can support us by downloading this article as PDF from the Link below. Download the guide as PDF

On my last article about Install Apache Tomcat 7 on CentOS 7 With Letsencrypt SSL Certificate, I covered all the steps required to have a tomcat server running on your Linux Server with Letsencrypt SSL encryption. Here we’ll cover how to use a Bash Script to Auto-renew Letsencrypt SSL certificate on Tomcat.

The steps used to get Letsencrypt certificate installed as shown in the article is manual. I’ve written a Bash script to set the renewal process to automatic. This will give you a peace of mind by avoiding the recurring same manual process.

Prerequisites

There are few packages you need to install to have this process working fine for you. To get email alerts on renewal, you need to install the package which provides mail command.

For CentOS:

Run the following commands:

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
sudo mv certbot-auto /usr/local/bin/

If you have an active firewall, e.g firewalld, open https port on the firewall.

--- CentOS / Fedora / RHEL ----
$ sudo firewall-cmd --add-service https --permanent
$ sudo firewall-cmd --reload

--- Debian / Ubuntu ---
$ sudo ufw allow https

To get email alerts, install the mailx package:

--- CentOS / Fedora / RHEL ---
$ sudo yum -y install mailx

--- Ubuntu / Debian ---
$ sudo apt-get -y install mailutils

Bash Script to Auto-renew Letsencrypt SSL certificate on Tomcat

Using the script

Now that you have everything set, clone this script, modify it, make it executable and set a cron job for it.

First clone the repository:

git clone https://github.com/jmutai/tomcat-letsencrypt.git
cd tomcat-letsencrypt

Once you have cloned the repo or downloaded the script. There are few variables that you need to define before you’re ready to execute the script.

The file to edit is tomcat-letsencrypt-autorenew.sh and set values required:

TOMCAT_DOMAIN="example.com"
TOMCAT_KEY_PASS="Password"
CERTBBOT_BIN="/usr/local/bin/certbot-auto"
EMAIL_NOTIFICATION="[email protected]"

Where:

  • example.com is replaced with your Tomcat domain name
  • Password is the tomcat password
  • [email protected] is the alerts email address to be used.

Save the changes then, then make script executable and add it to your PATH:

$ chmod +x tomcat-letsencrypt-autorenew.sh
$ sudo cp tomcat-letsencrypt-autorenew.sh /usr/local/bin

You need to have configured your tomcat server.xml file as shown on “Configure tomcat server” section of the article  Install Apache Tomcat on CentOS 7 With Letsencrypt SSL Certificate. The SSL file should be on /etc/ssl/${DOMAIN}.jks.

Execute the script by running:

sudo /usr/local/bin/tomcat-letsencrypt-autorenew.sh

If you don’t need email notification. you can skip the send_email_notification function.

Set cron job

To have a cron job run daily, checking if cert is due for renewal:

sudo crontab -e

Add:

30 3 * * * /usr/local/bin/tomcat-letsencrypt-autorenew.sh

This means it will be running every day at 3 am for checks. if the cert is not due for renewal, the script will exit gracefully.

You can support us by downloading this article as PDF from the Link below. Download the guide as PDF