You can support us by downloading this article as PDF from the Link below. Download the guide as PDF

Apache Tomcat is a web server and servlet container that is used to serve Java applications. Tomcat is an open source implementation of the Java Servlet and JavaServer Pages technologies, released by the Apache Software Foundation.

Configure Tomcat Server to use Letsencrypt

This is a documentation of lessons learned from deploying ODKAggregate tomcat application and Letsencrypt SSL certificate.

The setup was based on CentOS 7 server and Tomcat 7.0.69

Tomcat installation

sudo yum -y install epel-release
sudo yum -y install tomcat tomcat-docs-webapp tomcat-javadoc tomcat-webapps tomcat-admin-webapps

Configure JAVA PATH

sudo yum install java-1.8.0-openjdk java-1.8.0-openjdk-devel
sudo update-alternatives --config java
sudo update-alternatives --config javac

$ ls -l  /usr/lib/jvm

sudo tee -a /etc/bashrc<<EOF
export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk
export PATH=$JAVA_HOME/bin:$PATH
EOF

$ source /etc/bashrc
$ echo $JAVA_HOME
$ java -version

Tomcat JAVA options file is /etc/tomcat/tomcat.conf, example config:

JAVA_OPTS="-Xms1024m -Xmx7328m -XX:MaxPermSize=5898m -XX:+CMSClassUnloadingEnabled -XX:+CMSPermGenSweepingEnabled"

If you would like to add admin user to manage Tomcat with GUI, this is done on file /usr/share/tomcat/conf/tomcat-users.xml under section:

<tomcat-users>
...
</tomcat-users>

Example:

<tomcat-users>
    <user username="admin" password="password" roles="manager-gui,admin-gui"/>
</tomcat-users>

Installing Letsencrypt

wget https://dl.eff.org/certbot-auto -P /usr/local/bin
chmod a+x /usr/local/bin/certbot-auto

Request Letsencrypt ssl certificate for domain

firewall-cmd --add-service https --permanent
firewall-cmd --reload
certbot-auto certonly -d odk2.domain.com

SSL contents will be located under /etc/letsencrypt/live/odk2.domain.com/

create a PKCS12 that contains both your full chain and the private key

openssl pkcs12 -export -out /tmp/odk2.domain.com_fullchain_and_key.p12 \
    -in /etc/letsencrypt/live/odk2.domain.com/fullchain.pem \
    -inkey /etc/letsencrypt/live/odk2.domain.com/privkey.pem \
    -name tomcat

Convert that PKCS12 to a JKS

keytool -importkeystore \
    -deststorepass ughubieVahfaej5 -destkeypass ughubieVahfaej5 -destkeystore odk2.domain.com.jks \
    -srckeystore odk2.domain.com_fullchain_and_key.p12  -srcstoretype PKCS12 -srcstorepass ughubieVahfaej5 \
    -alias tomcat

Replace ughubieVahfaej5 with your password

Configure tomcat server

# vim /etc/tomcat/server.xml

Ensure the following section is commented out

  <!---
    <Connector port="8080" protocol="HTTP/1.1"
            connectionTimeout="20000"
            redirectPort="8443" />
    -->

Configure connector to use a shared thread pool

 <Connector executor="tomcatThreadPool"
            port="8080" protocol="HTTP/1.1"
            connectionTimeout="20000"
            redirectPort="8443" />

Next is to define SSL HTTP/1.1 Connector on port 8443

 <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
            maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
            keystoreFile="/etc/ssl/odk2.domain.com.jks"
            keystorePass="ughubieVahfaej5"
            clientAuth="false" sslProtocol="TLS" />

With above configuration, http to https redirect will be done automatically for the application, which can be accessed at:

http://server_IP_address:8080

Manager App

http://server_IP_address:8080/manager/html

Bash script to Auto renew with a cron job

It can be good to set the renewal to be automated using Linux cron jobs. For this take a look at:

Bash Script to Auto-renew Letsencrypt SSL certificate on Tomcat

As an appreciation for the content we put out,
we would be thrilled if you support us!


As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.

8 COMMENTS

  1. Hey! really useful post! just a question, let’s encrypt recommends to upgrade the certificate with a cron daily, if I update the certificate with .’/path/to/certbot-auto renew –no-self-upgrade’ should I generate again the PKCS12 file and the JKS? do you have any suggestion to automate that task with the approach you posted here?
    Thanks!

LEAVE A REPLY

Please enter your comment!
Please enter your name here