Table Of Contents
1. Introduction:
In this tutorial, we are going to create and set up a free SSL/TLS certificate on the Linux CentOS server. We are using Let's Encrypt for this which provides the free SSL and is valid for 90 days. You can renew it during that time duration. We will show how to renew it too. You can find about Let's Encrypt from here.
This service is used by many people to secure their website worldwide so, it's totally trust-worthy and supported if you can't afford from other paid service provider.
2. prerequisites:
- Running CentOS server
- Running tomcat server
- Domain pointed to the server Ip address
3. Install Certbort and create an SSL certificate:
Install Certbot:
yum -y install yum-utils
yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
sudo yum install certbot
If you have already running service which uses port 80 stop it. To obtain an SSL certificate for your domain using a built-in "standalone" webserver type the following command:
sudo certbot certonly --standalone -d example.com
Here, replace the domain name you want to secure instead of
example.com which will create the following certificate file to the directory:"/etc/letsencrypt/live/example.com/"
cert.pem, chain.pem, fullchain.pem, privkey.pem.
Now, logged in as root user and go to that directory
sudo -i
cd /etc/letsencrypt/live/example.com/
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:password
Replace the password with your desired one. It will create a password-protected file bundle.pfx under the same directory "/etc/letsencrypt/live/example.com/" which we need to use in tomcat configuration.
4. Tomcat configuration for HTTPs:
cp conf/server.xml conf/server-copy.xml
Edit the server.xml file.
sudo vi conf/server.xml // no need to type sudo if you are logged in as root user
You can see the following commented XML tag, which we are going to change:For Tomcat 7:
For tomcat 8:
Add the following changes near to the above XML tag or you can simply change that XML tag as below.
Here, we are changing port 8443 to 443, keystoreType as "PKCS12", keystoreFile
as the path of the pfx file created previously and keystorePass as your
password that we used while creating PFX file.
Change the port 8080 to 80:
change the above XML tag as below:
Here, we are changing the port from 8080 to 80 and 8443 to 443. By doing so, if your
domain running with port 8080 i.e example.com:8080, now it will open with port
80 i.e example.com. If you type your domain in the browser then you can run it with both HTTP and https i.e http://example.com and https://example.com.
Save the server.xml file by clicking "Esc" key and type ":wq!" and hit Enter.
sudo vi conf/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!--auth-constraint goes here if you requre authentication-->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
5. Renew certificate:
sudo certbot renew
sudo -i
cd /etc/letsencrypt/live/example.com/
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:password
Don't forget to use your existing password. And restart the tomcat server.
It working! Thanks you
ReplyDelete