How to set up a free SSL certificate for tomcat using let's encrypt on ubuntu.
Here, we are going to set up a free SSL certificate provided by a non-profit authority called Let's Encrypt. This is trusted and used by many to secure their website. The certificate is valid for only 90 days and can renew during that time. You can find out more about Let's Encrypt here.
which will give the following command to install certbot.
Table Of Contents
1. Introduction:
Here, we are going to set up a free SSL certificate provided by a non-profit authority called Let's Encrypt. This is trusted and used by many to secure their website. The certificate is valid for only 90 days and can renew during that time. You can find out more about Let's Encrypt here.
2. Prerequisites:
- Running ubuntu server
- Running tomcat server
- Domain name pointed to the server Ip address
3. Install certbort and create an SSL certificate:
SSH into the server where you want to create a certificate. In order to
create an SSL certificate, we need to install certbot for this, go and
select the appropriate ubuntu server version from here. As we are using ubuntu 18.04 LTS.
Add Certbot PPA
To obtain an SSL certificate for your domain using a built-in "standalone"
webserver type the following command:
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
Install Certbot
sudo apt-get install certbot
If you have already running service which uses port 80, stop it first
otherwise you will get Address BindException.
sudo certbot certonly --standalone -d example.com
Here, replace the domain name you want to secure instead of
example.com
which will create a different certificate file to the directory:
/etc/letsencrypt/live/example.com/
Now, logged in as root user and go to that directory
sudo -i
cd /etc/letsencrypt/live/example.com/
Next step is to convert those certificate PEM file to password-based PFX format so that we can use in tomcat configuration. We can do this by using
OpenSSL command as below.
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:password
Replace the password with your desired one. It will create a
password-protected file bundle.pfx under the same directory
"/etc/letsencrypt/live/example.com/" which we need to use in tomcat
configuration.
4. Tomcat configuration for HTTPs:
cp conf/server.xml conf/server-copy.xml
Edit the server.xml file.
sudo vi conf/server.xml // no need to type sudo if you are logged in as root user
You can see the following xml tag(for tomcat 8), we are going to change this: Replace the above tag such that the config look like as below:
Here, we are changing port 8443 to 443, keystoreType as "PKCS12", keystoreFile
as the path of the pfx file created previously and keystorePass as your
password that we used while creating PFX file.
Change the port 8080 to 80:
Under server.xml you can find the following tag.
change the above xml tag as below:
Here, we are changing the port from 8080 to 80 and 8443 to 443. By doing so, if your
domain running with port 8080 i.e example.com:8080, now it will open with port
80 i.e example.com. If you type your domain in the browser then you can run it with both HTTP and https i.e http://example.com and https://example.com.
Save the server.xml file by clicking "Esc" key and type ":wq!" and hit Enter.
As we want to always redirect our domain to https. To do so, open the web.xml file
under conf/web.xml.
sudo vi conf/web.xml
And add the below code at the end of file before the end of
"/web-app" xml tag.
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!--auth-constraint goes here if you requre authentication-->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Which will always redirect to HTTPs.
The certificate is valid for only 90 days so we need to renew before expiry. For this, stop tomcat and type the following command:
5. Renew certificate:
sudo certbot renew
sudo -i
cd /etc/letsencrypt/live/example.com/
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:password
Don't forget to use your existing password. And restart the tomcat server.
0 comments:
New comments are not allowed.