Let’s Encrypt is a certificate authority that provides valid SSL certificates to be used for the web application. It provides certificates freely for everyone with some restrictions.
Security first should be the thumb rule for any organization to secure your hard-working code from hackers. It becomes more important while traveling application data over public networks. For this situation, we need to implement end-to-end encryption using TLS.
This tutorial helps you to issue a new let’s encrypt SSL certificate and configure it with the Tomcat web server.
Prerequisites
This tutorial doesn’t cover the Tomcat installation. We are assuming that you already have a Tomcat server running on your system. You can visit Tomcat installation tutorials.
Step 1 – Installing Certbot
Certbot is a command-line utility to create and manage Let’s Encrypt SSL certificates. Which is available for most of the operating systems.
Debian-based users can install certbot by running the following command. Other operating system users can install it from here.
sudo apt install certbot
Next, create the SSL certificate for your domain. Make sure the domain is already pointed to the tomcat server from DNS. For this tutorial, I am using the tomcat.tecadmin.net subdomain.
sudo certbot certonly --standalone -d tomcat.tecadmin.net
Once the certificate issued, you can see all the related files at below location:
sudo ls /etc/letsencrypt/live/tomcat.tecadmin.net/
Outputcert.pem chain.pem fullchain.pem privkey.pem README
These are all the files you need for the SSL certificate setup.
Step 2 – Configure Tomcat with Let’s Encrypt SSL
Next, configure your Tomcat server to listen on the secure protocol. By default, Tomcat uses 8443 to listen for SSL/TLS requests.
Copy SSL certificate’s and private key files under /opt/tomcat/conf directory:
cd /etc/letsencrypt/live/tomcat.tecadmin.netsudo cp {cert,chain,privkey}.pem /opt/tomcat/conf/
Then edit the conf/server.xml file available under the Tomcat home directory. In my case Tomcat is installed under /opt/tomcat, So use the below command to edit the configuration file.
sudo nano /opt/tomcat/conf/server.xml
Remove <!-- and --> to uncomment the following section in configuration file. Also add the certificate section with your certificate files. The configuration will be look like:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateFile="conf/cert.pem"
certificateKeyFile="conf/privkey.pem"
certificateChainFile="conf/chain.pem" />
</SSLHostConfig>
</Connector>
Press CTRL+O to save changes and CTRL+X to exit from the editor.
Now, restart the Tomcat service to apply changes.
sudo systemctl restart tomcat
That’s it. You have configured Let’s Encrypt SSL with Tomcat.
The next step is to verify the setup.
Step 3 – Verify Tomcat SSL Certificate
Default tomcat with SSL listens on 8443 port. Use your domain with an 8443 port to access Tomcat over the secure socket layer.
- https://tomcat.tecadmin.net:8443
That’s it. You have successfully configured Let’s Encrypt SSL with Tomcat.
Step 4 – Renew SSL Certificate
The default Let’s Encrypt SSL certificates expire in 90 days. You can easily refresh your SSL certificate anytime within 30 days of expiration.
Type the below command to refresh the SSL certificate.
certbot certonly --standalone -d tomcat.tecadmin.net
Once successfully renewed. Copy the newly generated certificate files to the Tomcat conf directory.
cd /etc/letsencrypt/live/tomcat.tecadmin.netcp {cert,chain,privkey}.pem /opt/tomcat/conf
Restart the Tomcat service to apply changes.
sudo systemctl restart tomcat
Conclusion
In this tutorial, You have learned to set up the Let’s Encrypt SSL certificate with the Tomcat web server. Additionally provides you with steps to renew your SSL certificate.
9 Comments
Did it work for anyone in 2022???
Hello,
In My case tomcat working fine with 8443 but tomcat port 8080 show me
Error code: SSL_ERROR_RX_RECORD_TOO_LONG…
How can I redirect 8080 to 8443?
Thank You
I don’t have a live directory in my letencrypt installation folder.
How can I fix the problem ?
Getting error : Challenge failed for domain http://www.mydomain.com
IMPORTANT NOTES:
– The following errors were reported by the server:
Domain: http://www.mydomain.com
Type: unauthorized
Detail: 54.93.177.21: Invalid response from
http://www.mydomain.com/.well-known/acme-challenge/3Uu9bmndFK_aaYUpv5mFeGbQHXbwmmhpC885HK7JMoU:
404
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Hi Rahul , I followed instructions but still https not working .. can you please help me out ..i have used lets encrypt
here is the my server.xml file
==========================================================================
[root@jenkins-d95b-98a02c conf]# cat server.xml
<!– Security listener. Documentation at /docs/config/listeners.html
–>
<!–
–>
<!– –>
<!–
–>
<!–
–>
<!–
–>
<!– You should set jvmRoute to support load-balancing via AJP ie :
–>
<!–
–>
<!–
–>
============================================================================================
here is the logs file
=======================================================================================
21-Nov-2021 14:59:34.592 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name: Apache Tomcat/8.5.58
21-Nov-2021 14:59:34.594 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Sep 10 2020 21:45:33 UTC
21-Nov-2021 14:59:34.594 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 8.5.58.0
21-Nov-2021 14:59:34.594 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Linux
21-Nov-2021 14:59:34.594 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 3.10.0-1160.45.1.el7.x86_64
21-Nov-2021 14:59:34.594 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: amd64
21-Nov-2021 14:59:34.594 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el7_9.x86_64/jre
21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 1.8.0_312-b07
21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Red Hat, Inc.
21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: /opt/tomcat
21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: /opt/tomcat
21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties
21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs=
21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/opt/tomcat
21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/opt/tomcat
21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/opt/tomcat/temp
21-Nov-2021 14:59:34.595 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib]
21-Nov-2021 14:59:34.700 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler [“https-jsse-nio-8443”]
21-Nov-2021 14:59:34.858 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
21-Nov-2021 14:59:34.867 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 652 ms
21-Nov-2021 14:59:34.896 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
21-Nov-2021 14:59:34.896 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: Apache Tomcat/8.5.58
21-Nov-2021 14:59:34.911 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive [/opt/tomcat/webapps/ROOT.war]
21-Nov-2021 14:59:37.247 INFO [localhost-startStop-1] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
21-Nov-2021 14:59:37.715 INFO [localhost-startStop-1] hudson.WebAppMain.contextInitialized Jenkins home directory: /root/.jenkins found at: $user.home/.jenkins
21-Nov-2021 14:59:37.884 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/opt/tomcat/webapps/ROOT.war] has finished in [2,973] ms
21-Nov-2021 14:59:37.885 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/opt/tomcat/webapps/examples]
21-Nov-2021 14:59:38.019 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/opt/tomcat/webapps/examples] has finished in [134] ms
21-Nov-2021 14:59:38.019 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/opt/tomcat/webapps/manager]
21-Nov-2021 14:59:38.040 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/opt/tomcat/webapps/manager] has finished in [21] ms
21-Nov-2021 14:59:38.040 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/opt/tomcat/webapps/host-manager]
21-Nov-2021 14:59:38.051 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/opt/tomcat/webapps/host-manager] has finished in [11] ms
21-Nov-2021 14:59:38.052 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/opt/tomcat/webapps/docs]
21-Nov-2021 14:59:38.064 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/opt/tomcat/webapps/docs] has finished in [12] ms
21-Nov-2021 14:59:38.074 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler [“https-jsse-nio-8443”]
21-Nov-2021 14:59:38.094 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 3226 ms
21-Nov-2021 14:59:39.482 INFO [pool-6-thread-3] jenkins.InitReactorRunner$1.onAttained Started initialization
21-Nov-2021 14:59:39.629 INFO [pool-6-thread-5] jenkins.InitReactorRunner$1.onAttained Listed all plugins
21-Nov-2021 14:59:43.038 INFO [pool-6-thread-7] jenkins.InitReactorRunner$1.onAttained Prepared all plugins
21-Nov-2021 14:59:43.058 INFO [pool-6-thread-5] jenkins.InitReactorRunner$1.onAttained Started all plugins
21-Nov-2021 14:59:43.082 INFO [pool-6-thread-8] jenkins.InitReactorRunner$1.onAttained Augmented all extensions
21-Nov-2021 14:59:44.333 INFO [pool-6-thread-4] jenkins.InitReactorRunner$1.onAttained System config loaded
21-Nov-2021 14:59:44.334 INFO [pool-6-thread-4] jenkins.InitReactorRunner$1.onAttained System config adapted
21-Nov-2021 14:59:44.344 INFO [pool-6-thread-4] jenkins.InitReactorRunner$1.onAttained Loaded all jobs
21-Nov-2021 14:59:44.346 INFO [pool-6-thread-2] jenkins.InitReactorRunner$1.onAttained Configuration for all jobs updated
21-Nov-2021 14:59:44.382 INFO [Download metadata thread] hudson.model.AsyncPeriodicWork.lambda$doRun$1 Started Download metadata
21-Nov-2021 14:59:44.387 INFO [Download metadata thread] hudson.model.AsyncPeriodicWork.lambda$doRun$1 Finished Download metadata. 2 ms
21-Nov-2021 14:59:44.432 INFO [pool-6-thread-6] jenkins.InitReactorRunner$1.onAttained Completed initialization
21-Nov-2021 14:59:44.464 INFO [Jenkins initialization thread] hudson.WebAppMain$3.run Jenkins is fully up and running
21-Nov-2021 15:08:01.003 INFO [Workspace clean-up thread] hudson.model.AsyncPeriodicWork.lambda$doRun$1 Started Workspace clean-up
21-Nov-2021 15:08:01.008 INFO [Workspace clean-up thread] hudson.model.AsyncPeriodicWork.lambda$doRun$1 Finished Workspace clean-up. 1 ms
server.xml file is
[root@jenkins-d95b-98a02c conf]# cat server.xml
<!– Security listener. Documentation at /docs/config/listeners.html
–>
<!–
–>
<!– –>
<!–
–>
<!–
–>
<!–
–>
<!– You should set jvmRoute to support load-balancing via AJP ie :
–>
<!–
–>
<!–
–>
it is server.xml not server.conf
Thanks Dude
From all the resource I red online, this the best and most straight forward.
Thanks a lot!