How to Install and configure a free SSL/TLS certificate for Tomcat using Let's Encrypt on Centos Linux.
In this tutorial, we are going to create and set up a free SSL/TLS certificate on the Linux CentOS server. We are using Let's Encrypt for this which provides the free SSL and is valid for 90 days. You can renew it during that time duration. We will show how to renew it too. You can find about Let's Encrypt from here.
We consider you already have the following setup.
First, SSH into to the running CentOS server where you want to create your SSL certificate. To create an SSL certificate, we need to first install Certbort on the server so, let's do it. I recommend selecting the desired version from here, which will give the command to install Certbot.
Create a certificate:
Next step is to convert those certificate PEM file to password-based PFX format so that we can use in tomcat configuration. We can do this by using the OpenSSL command as below.
Go to your tomcat directory, and backup the server.xml file; as we are going to change the file.
Under server.xml you can find the following tag.
As we want to always redirect our domain to https. To do so, open the web.xml file
under conf/web.xml.
Click "Shift + G" to go the end of the file and add the below code at the end of the file as below.
Save the file. This will always redirect to HTTPs.
The certificate is valid for only 90 days so we need to renew before expiry. For this, stop tomcat and type the following command:
Table Of Contents
1. Introduction:
In this tutorial, we are going to create and set up a free SSL/TLS certificate on the Linux CentOS server. We are using Let's Encrypt for this which provides the free SSL and is valid for 90 days. You can renew it during that time duration. We will show how to renew it too. You can find about Let's Encrypt from here.
This service is used by many people to secure their website worldwide so, it's totally trust-worthy and supported if you can't afford from other paid service provider.
2. prerequisites:
- Running CentOS server
- Running tomcat server
- Domain pointed to the server Ip address
3. Install Certbort and create an SSL certificate:
Install Certbot:
yum -y install yum-utils
yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
sudo yum install certbot
If you have already running service which uses port 80 stop it. To obtain an SSL certificate for your domain using a built-in "standalone" webserver type the following command:
sudo certbot certonly --standalone -d example.com
which will create the following certificate file to the directory:"/etc/letsencrypt/live/example.com/"
cert.pem, chain.pem, fullchain.pem, privkey.pem.
Now, logged in as root user and go to that directory
sudo -i
cd /etc/letsencrypt/live/example.com/
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:password
4. Tomcat configuration for HTTPs:
cp conf/server.xml conf/server-copy.xml
sudo vi conf/server.xml // no need to type sudo if you are logged in as root user
For Tomcat 7:
For tomcat 8:
Add the following changes near to the above XML tag or you can simply change that XML tag as below.
Here, we are changing port 8443 to 443, keystoreType as "PKCS12", keystoreFile
as the path of the pfx file created previously and keystorePass as your
password that we used while creating PFX file.
Change the port 8080 to 80:
change the above XML tag as below:
Here, we are changing the port from 8080 to 80 and 8443 to 443. By doing so, if your
domain running with port 8080 i.e example.com:8080, now it will open with port
80 i.e example.com. If you type your domain in the browser then you can run it with both HTTP and https i.e http://example.com and https://example.com.
Save the server.xml file by clicking "Esc" key and type ":wq!" and hit Enter.
sudo vi conf/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!--auth-constraint goes here if you requre authentication-->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
5. Renew certificate:
sudo certbot renew
sudo -i
cd /etc/letsencrypt/live/example.com/
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:password