Facebook Twitter Instagram
    TecAdmin
    • Home
    • FeedBack
    • Submit Article
    • About Us
    Facebook Twitter Instagram
    TecAdmin
    You are at:Home»Web Servers»Tomcat»How To Secure Tomcat with Let’s Encrypt SSL

    How To Secure Tomcat with Let’s Encrypt SSL

    By RahulJune 4, 20223 Mins Read

    Let’s Encrypt is a certificate authority that provides valid SSL certificates to be used for the web application. It provides certificates freely for everyone with some restrictions.

    Advertisement

    Security first should be the thumb rule for any organization to secure your hard-working code from hackers. It becomes more important while traveling application data over public networks. For this situation, we need to implement end-to-end encryption using TLS.

    This tutorial helps you to issue a new let’s encrypt SSL certificate and configure it with the Tomcat web server.

    Prerequisites

    This tutorial doesn’t cover the Tomcat installation. We are assuming that you already have a Tomcat server running on your system. You can visit Tomcat installation tutorials.

    Step 1 – Installing Certbot

    Certbot is a command-line utility to create and manage Let’s Encrypt SSL certificates. Which is available for most of the operating systems.

    Debian-based users can install certbot by running the following command. Other operating system users can install it from here.

    sudo apt install certbot 
    

    Next, create the SSL certificate for your domain. Make sure the domain is already pointed to the tomcat server from DNS. For this tutorial, I am using the tomcat.tecadmin.net subdomain.

    sudo certbot certonly --standalone -d tomcat.tecadmin.net 
    

    Once the certificate issued, you can see all the related files at below location:

    sudo ls /etc/letsencrypt/live/tomcat.tecadmin.net/ 
    
    Output
    cert.pem chain.pem fullchain.pem privkey.pem README

    These are all the files you need for the SSL certificate setup.

    Step 2 – Configure Tomcat with Let’s Encrypt SSL

    Next, configure your Tomcat server to listen on the secure protocol. By default, Tomcat uses 8443 to listen for SSL/TLS requests.

    Copy SSL certificate’s and private key files under /opt/tomcat/conf directory:

    cd /etc/letsencrypt/live/tomcat.tecadmin.net 
    sudo cp {cert,chain,privkey}.pem /opt/tomcat/conf/ 
    

    Then edit the conf/server.xml file available under the Tomcat home directory. In my case Tomcat is installed under /opt/tomcat, So use the below command to edit the configuration file.

    sudo nano /opt/tomcat/conf/server.xml 
    

    Remove <!-- and --> to uncomment the following section in configuration file. Also add the certificate section with your certificate files. The configuration will be look like:

        <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                   maxThreads="150" SSLEnabled="true">
            <SSLHostConfig>
                <Certificate certificateFile="conf/cert.pem"
                     certificateKeyFile="conf/privkey.pem"
                     certificateChainFile="conf/chain.pem" />
            </SSLHostConfig>
        </Connector>
    

    Press CTRL+O to save changes and CTRL+X to exit from the editor.

    Now, restart the Tomcat service to apply changes.

    sudo systemctl restart tomcat 
    

    That’s it. You have configured Let’s Encrypt SSL with Tomcat.

    The next step is to verify the setup.

    Step 3 – Verify Tomcat SSL Certificate

    Default tomcat with SSL listens on 8443 port. Use your domain with an 8443 port to access Tomcat over the secure socket layer.

    • https://tomcat.tecadmin.net:8443

    Setup lets encrypt ssl with tomcat

    That’s it. You have successfully configured Let’s Encrypt SSL with Tomcat.

    Step 4 – Renew SSL Certificate

    The default Let’s Encrypt SSL certificates expire in 90 days. You can easily refresh your SSL certificate anytime within 30 days of expiration.

    Type the below command to refresh the SSL certificate.

    certbot certonly --standalone -d tomcat.tecadmin.net 
    

    Once successfully renewed. Copy the newly generated certificate files to the Tomcat conf directory.

    cd /etc/letsencrypt/live/tomcat.tecadmin.net 
    cp {cert,chain,privkey}.pem /opt/tomcat/conf 
    

    Restart the Tomcat service to apply changes.

    sudo systemctl restart tomcat 
    

    Conclusion

    In this tutorial, You have learned to set up the Let’s Encrypt SSL certificate with the Tomcat web server. Additionally provides you with steps to renew your SSL certificate.

    Let's Encrypt SSL tomcat
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email WhatsApp

    Related Posts

    Create Let's Encrypt SSL with Certbot

    How to Generate Let’s Encrypt SSL using Certbot

    How to Find Tomcat Version

    How to Check Tomcat Version on Linux

    Deleting a Certificate using Certbot

    How to Delete a Let’s Encrypt Certificate using Certbot

    View 9 Comments

    9 Comments

    1. glaicon on December 5, 2022 10:38 am

      Did it work for anyone in 2022???

      Reply
    2. Anoop on November 12, 2022 7:14 am

      Hello,
      In My case tomcat working fine with 8443 but tomcat port 8080 show me
      Error code: SSL_ERROR_RX_RECORD_TOO_LONG…
      How can I redirect 8080 to 8443?

      Thank You

      Reply
    3. Valdes on July 22, 2022 12:05 pm

      I don’t have a live directory in my letencrypt installation folder.

      How can I fix the problem ?

      Reply
    4. Deepak on June 2, 2022 3:27 am

      Getting error : Challenge failed for domain http://www.mydomain.com
      IMPORTANT NOTES:
      – The following errors were reported by the server:

      Domain: http://www.mydomain.com
      Type: unauthorized
      Detail: 54.93.177.21: Invalid response from
      http://www.mydomain.com/.well-known/acme-challenge/3Uu9bmndFK_aaYUpv5mFeGbQHXbwmmhpC885HK7JMoU:
      404

      To fix these errors, please make sure that your domain name was
      entered correctly and the DNS A/AAAA record(s) for that domain
      contain(s) the right IP address.

      Reply
    5. charan on November 21, 2021 3:13 pm

      Hi Rahul , I followed instructions but still https not working .. can you please help me out ..i have used lets encrypt

      here is the my server.xml file
      ==========================================================================
      [[email protected] conf]# cat server.xml


      <!– Security listener. Documentation at /docs/config/listeners.html

      –>


      <!–

      –>


      <!– –>

      <!–

      –>


      <!–

      –>


      <!–

      –>

      <!– You should set jvmRoute to support load-balancing via AJP ie :

      –>


      <!–

      –>


      <!–

      –>

      ============================================================================================
      here is the logs file
      =======================================================================================

      21-Nov-2021 14:59:34.592 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name: Apache Tomcat/8.5.58
      21-Nov-2021 14:59:34.594 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Sep 10 2020 21:45:33 UTC
      21-Nov-2021 14:59:34.594 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 8.5.58.0
      21-Nov-2021 14:59:34.594 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Linux
      21-Nov-2021 14:59:34.594 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 3.10.0-1160.45.1.el7.x86_64
      21-Nov-2021 14:59:34.594 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: amd64
      21-Nov-2021 14:59:34.594 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el7_9.x86_64/jre
      21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 1.8.0_312-b07
      21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Red Hat, Inc.
      21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: /opt/tomcat
      21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: /opt/tomcat
      21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties
      21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
      21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
      21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
      21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
      21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs=
      21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/opt/tomcat
      21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/opt/tomcat
      21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/opt/tomcat/temp
      21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib]
      21-Nov-2021 14:59:34.700 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler [“https-jsse-nio-8443”]
      21-Nov-2021 14:59:34.858 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
      21-Nov-2021 14:59:34.867 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 652 ms
      21-Nov-2021 14:59:34.896 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
      21-Nov-2021 14:59:34.896 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: Apache Tomcat/8.5.58
      21-Nov-2021 14:59:34.911 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive [/opt/tomcat/webapps/ROOT.war]
      21-Nov-2021 14:59:37.247 INFO [localhost-startStop-1] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
      21-Nov-2021 14:59:37.715 INFO [localhost-startStop-1] hudson.WebAppMain.contextInitialized Jenkins home directory: /root/.jenkins found at: $user.home/.jenkins
      21-Nov-2021 14:59:37.884 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/opt/tomcat/webapps/ROOT.war] has finished in [2,973] ms
      21-Nov-2021 14:59:37.885 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/opt/tomcat/webapps/examples]
      21-Nov-2021 14:59:38.019 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/opt/tomcat/webapps/examples] has finished in [134] ms
      21-Nov-2021 14:59:38.019 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/opt/tomcat/webapps/manager]
      21-Nov-2021 14:59:38.040 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/opt/tomcat/webapps/manager] has finished in [21] ms
      21-Nov-2021 14:59:38.040 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/opt/tomcat/webapps/host-manager]
      21-Nov-2021 14:59:38.051 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/opt/tomcat/webapps/host-manager] has finished in [11] ms
      21-Nov-2021 14:59:38.052 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/opt/tomcat/webapps/docs]
      21-Nov-2021 14:59:38.064 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/opt/tomcat/webapps/docs] has finished in [12] ms
      21-Nov-2021 14:59:38.074 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler [“https-jsse-nio-8443”]
      21-Nov-2021 14:59:38.094 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 3226 ms
      21-Nov-2021 14:59:39.482 INFO [pool-6-thread-3] jenkins.InitReactorRunner$1.onAttained Started initialization
      21-Nov-2021 14:59:39.629 INFO [pool-6-thread-5] jenkins.InitReactorRunner$1.onAttained Listed all plugins
      21-Nov-2021 14:59:43.038 INFO [pool-6-thread-7] jenkins.InitReactorRunner$1.onAttained Prepared all plugins
      21-Nov-2021 14:59:43.058 INFO [pool-6-thread-5] jenkins.InitReactorRunner$1.onAttained Started all plugins
      21-Nov-2021 14:59:43.082 INFO [pool-6-thread-8] jenkins.InitReactorRunner$1.onAttained Augmented all extensions
      21-Nov-2021 14:59:44.333 INFO [pool-6-thread-4] jenkins.InitReactorRunner$1.onAttained System config loaded
      21-Nov-2021 14:59:44.334 INFO [pool-6-thread-4] jenkins.InitReactorRunner$1.onAttained System config adapted
      21-Nov-2021 14:59:44.344 INFO [pool-6-thread-4] jenkins.InitReactorRunner$1.onAttained Loaded all jobs
      21-Nov-2021 14:59:44.346 INFO [pool-6-thread-2] jenkins.InitReactorRunner$1.onAttained Configuration for all jobs updated
      21-Nov-2021 14:59:44.382 INFO [Download metadata thread] hudson.model.AsyncPeriodicWork.lambda$doRun$1 Started Download metadata
      21-Nov-2021 14:59:44.387 INFO [Download metadata thread] hudson.model.AsyncPeriodicWork.lambda$doRun$1 Finished Download metadata. 2 ms
      21-Nov-2021 14:59:44.432 INFO [pool-6-thread-6] jenkins.InitReactorRunner$1.onAttained Completed initialization
      21-Nov-2021 14:59:44.464 INFO [Jenkins initialization thread] hudson.WebAppMain$3.run Jenkins is fully up and running
      21-Nov-2021 15:08:01.003 INFO [Workspace clean-up thread] hudson.model.AsyncPeriodicWork.lambda$doRun$1 Started Workspace clean-up
      21-Nov-2021 15:08:01.008 INFO [Workspace clean-up thread] hudson.model.AsyncPeriodicWork.lambda$doRun$1 Finished Workspace clean-up. 1 ms

      Reply
      • [email protected] on November 21, 2021 3:20 pm

        server.xml file is

        [[email protected] conf]# cat server.xml


        <!– Security listener. Documentation at /docs/config/listeners.html

        –>


        <!–

        –>


        <!– –>

        <!–

        –>


        <!–

        –>


        <!–

        –>

        <!– You should set jvmRoute to support load-balancing via AJP ie :

        –>


        <!–

        –>


        <!–

        –>

        Reply
    6. Dude on June 22, 2021 1:08 am

      it is server.xml not server.conf

      Reply
      • Rahul on June 23, 2021 4:40 am

        Thanks Dude

        Reply
    7. Bailly on June 6, 2021 6:35 pm

      From all the resource I red online, this the best and most straight forward.
      Thanks a lot!

      Reply

    Leave A Reply Cancel Reply

    Advertisement
    Recent Posts
    • Implementing a Linux Server Security Audit: Best Practices and Tools
    • cp Command in Linux (Copy Files Like a Pro)
    • 15 Practical Examples of dd Command in Linux
    • dd Command in Linux (Syntax, Options and Use Cases)
    • Iptables: Common Firewall Rules and Commands
    Facebook Twitter Instagram Pinterest
    © 2023 Tecadmin.net. All Rights Reserved | Terms  | Privacy Policy

    Type above and press Enter to search. Press Esc to cancel.