HTTPS for Tomcat 7 with Let’s Encrypt
HTTPS for Tomcat 7 with Let’s Encrypt also works with apache modproxy
To generate a certificate using let’s encrypt, follow this post. Once you got the certificate issued with the official Let’s Encrypt client, you will find that the client created a directory for you: /etc/letsencrypt. In this directory you will find the path live/yourDomain which contains symbolic links to the latest version of their corresponding file in /etc/letsencrypt/archive/yourDomain.
Copy the fullchain.pem and privkey.pem to a different folder or your home folder using the following command.
1 2 |
$ cp -L /etc/letsencrypt/live/yourDomain/fullchain.pem ~/fullchain.pem $ cp -L /etc/letsencrypt/live/yourDomain/privkey.pem ~/privkey.pem |
Now you need to create a JKS file using the above two keychain files, so first run the following in the terminal.
1 |
$ openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out fullchain_and_key.p12 -name tomcat |
You will be asked to provide a password (called yourPKCS12pass in the following).
Next, after we generated our PKCS12 keystore aboe, we can use Java’s keytool to generate a JKS from our PKCS12 file. To do so run the following.
1 |
$ keytool -importkeystore -deststorepass yourJKSpass -destkeypass yourKeyPass -destkeystore <strong>MyDSKeyStore</strong>.jks -srckeystore fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass <strong>yourPKCS12pass</strong> -alias tomcat |
This will give you a file called MyDSKeyStore.jks. Now you are ready to configure Tomcat for HTTPS.
The final step is to configure Tomcat to use Https:
To configure tomcat’s https you’ll need to edit server.xml under $CATALINA_BASE/conf/ directory.
Open the file using you favorite text editor and search for the line beginning with
1 |
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" |
Using the information and the key you added above change it to
1 |
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" URIEncoding="UTF-8" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/volume1/NetBackup/myds_certs/MyDSKeyStore.jks" keystorePass="yourJKSpass" keyAlias="tomcat" keyPass="yourKeyPass"/> |
Now restart tomcat, and run https://yourDomain:8443 to check the SSL Encryption