HTTPS for Tomcat 7 with Let’s Encrypt

Jan 07, 2017

1 Comment

HTTPS for Tomcat 7 with Let’s Encrypt also works with apache modproxy

To generate a certificate using let’s encrypt, follow this post. Once you got the certificate issued with the official Let’s Encrypt client, you will find that the client created a directory for you: /etc/letsencrypt. In this directory you will find the path live/yourDomain which contains symbolic links to the latest version of their corresponding file in /etc/letsencrypt/archive/yourDomain.

Copy the fullchain.pem and privkey.pem to a different folder or your home folder using the following command.

$ cp -L /etc/letsencrypt/live/yourDomain/fullchain.pem ~/fullchain.pem
$ cp -L /etc/letsencrypt/live/yourDomain/privkey.pem ~/privkey.pem

1 2	$ cp -L /etc/letsencrypt/live/yourDomain/fullchain.pem ~/fullchain.pem $ cp -L /etc/letsencrypt/live/yourDomain/privkey.pem ~/privkey.pem

Now you need to create a JKS file using the above two keychain files, so first run the following in the terminal.

$ openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out fullchain_and_key.p12 -name tomcat

1	$ openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out fullchain_and_key.p12 -name tomcat

You will be asked to provide a password (called yourPKCS12pass in the following).

Next, after we generated our PKCS12 keystore aboe, we can use Java’s keytool to generate a JKS from our PKCS12 file. To do so run the following.

$ keytool -importkeystore -deststorepass yourJKSpass -destkeypass yourKeyPass -destkeystore <strong>MyDSKeyStore</strong>.jks -srckeystore fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass <strong>yourPKCS12pass</strong> -alias tomcat

1	$ keytool -importkeystore -deststorepass yourJKSpass -destkeypass yourKeyPass -destkeystore <strong>MyDSKeyStore</strong>.jks -srckeystore fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass <strong>yourPKCS12pass</strong> -alias tomcat

This will give you a file called MyDSKeyStore.jks. Now you are ready to configure Tomcat for HTTPS.

The final step is to configure Tomcat to use Https:
To configure tomcat’s https you’ll need to edit server.xml under $CATALINA_BASE/conf/ directory.

Open the file using you favorite text editor and search for the line beginning with

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"

1	<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"

Using the information and the key you added above change it to

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" URIEncoding="UTF-8" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/volume1/NetBackup/myds_certs/MyDSKeyStore.jks" keystorePass="yourJKSpass" keyAlias="tomcat" keyPass="yourKeyPass"/>

Now restart tomcat, and run https://yourDomain:8443 to check the SSL Encryption

Smjrifle

Inner Geek

HTTPS for Tomcat 7 with Let’s Encrypt

HTTPS for Tomcat 7 with Let’s Encrypt also works with apache modproxy