(Last Updated On: March 7, 2018)

On my last article about Install Apache Tomcat 7 on CentOS 7 With Letsencrypt SSL Certificate, I covered all the steps required to have a tomcat server running on your Linux Server with Letsencrypt SSL encryption. Here we’ll cover how to use a Bash Script to Auto-renew Letsencrypt SSL certificate on Tomcat.

The steps used to get Letsencrypt certificate installed as shown in the article is manual. I’ve written a Bash script to set the renewal process to automatic. This will give you a peace of mind by avoiding the recurring same manual process.

Prerequisites

There are few packages you need to install to have this process working fine for you. To get email alerts on renewal, you need to install the package which provides mail command.

For CentOS:

Run the following commands:

# wget https://dl.eff.org/certbot-auto -P /usr/local/bin
# chmod a+x /usr/local/bin/certbot-auto

If you have an active firewall, e.g firewalld, open https port on the firewall.

# firewall-cmd --add-service https --permanent
# firewall-cmd --reload

To get email alerts, install the mailx package:

$ sudo yum -y install mailx

For Ubuntu:

Run these commands on your Ubuntu server to get all the requirements satisfied.

# wget https://dl.eff.org/certbot-auto -P /usr/local/bin
# chmod a+x /usr/local/bin/certbot-auto

In case you have ufw firewall, open https port which is often used by Letsencrypt when doing the renewal for the certificate.

$ sudo ufw allow https

To get email alerts, install the mailx package:

$ sudo apt-get -y install mailutils

Bash Script to Auto-renew Letsencrypt SSL certificate on Tomcat

Using the script

Now that you have everything set, clone this script, modify it, make it executable and set a cron job for it.

First clone the repository:

$ git clone https://github.com/jmutai/tomcat-letsencrypt.git
$ cd tomcat-letsencrypt

Once you have cloned the repo or downloaded the script. There are few variables that you need to define before you’re ready to execute the script. The file to edit is tomcat-letsencrypt-autorenew.sh.

TOMCAT_DOMAIN=""
TOMCAT_KEY_PASS=""
CERTBBOT_BIN="/usr/local/bin/certbot-auto"
EMAIL_NOTIFICATION="email_address"

Save the changes then:

$ chmod +x tomcat-letsencrypt-autorenew.sh
$ sudo cp tomcat-letsencrypt-autorenew.sh /usr/local/bin

You need to have configured your tomcat server.xml file as shown on “Configure tomcat server” section of the article  Install Apache Tomcat 7 on CentOS 7 With Letsencrypt SSL Certificate. The SSL file should be on /etc/ssl/${DOMAIN}.jks.

Execute the script by running:

$ sudo su -
# /usr/local/bin tomcat-letsencrypt-autorenew.sh

If you don’t need email notification. you can skip the send_email_notification function.

Set cron job

To have a cron job run daily, checking if cert is due for renewal

# crontab -e

Add:

30 3 * * * /usr/local/bin tomcat-letsencrypt-autorenew.sh

This means it will be running every day at 3 am for checks. if the cert is not due for renewal, the script will exit gracefully.