How To Secure Tomcat with Let's Encrypt SSL
Abstract: Once successfully renewed. Copy the newly generated certificate files to the Tomcat conf directory. cd /etc/letsencrypt/live/tomcat.tecadmin.netTomcat
Let’s Encrypt is a certificate authority that provides valid SSL certificates to be used for the web application. It provides certificates freely for everyone with some restrictions.
Security first should be the thumb rule for any organization to secure your hard-working code from hackers. It becomes more important while traveling application data over public networks. For this situation, we need to implement end-to-end encryption using TLS.
This tutorial helps you to issue a new let’s encrypt SSL certificate and configure it with the Tomcat web server.
PrerequisitesThis tutorial doesn’t cover the Tomcat installation. We are assuming that you already have a Tomcat server running on your system. You can visit Tomcat installation tutorials.
Step 1 – Installing CertbotCertbot is a command-line utility to create and manage Let’s Encrypt SSL certificates. Which is available for most of the operating systems.
Debian-based users can install certbot by running the following command. Other operating system users can install it from here.
sudo apt install certbot
Next, create the SSL certificate for your domain. Make sure the domain is already pointed to the tomcat server from DNS. For this tutorial, I am using the tomcat.tecadmin.net subdomain.
sudo certbot certonly --standalone -d tomcat.tecadmin.net
Once the certificate issued, you can see all the related files at below location:
sudo ls /etc/letsencrypt/live/tomcat.tecadmin.net/
Output cert.pem chain.pem fullchain.pem privkey.pem README
These are all the files you need for the SSL certificate setup.
Step 2 – Configure Tomcat with Let’s Encrypt SSLNext, configure your Tomcat server to listen on the secure protocol. By default, Tomcat uses 8443 to listen for SSL/TLS requests.
Copy SSL certificate’s and private key files under /opt/tomcat/conf directory:
cd /etc/letsencrypt/live/tomcat.tecadmin.net
sudo cp {cert,chain,privkey}.pem /opt/tomcat/conf/
Then edit the conf/server.xml file available under the Tomcat home directory. In my case Tomcat is installed under /opt/tomcat, So use the below command to edit the configuration file.
sudo nano /opt/tomcat/conf/server.xml
Remove <!--
and -->
to uncomment the following section in configuration file. Also add the certificate section with your certificate files. The configuration will be look like:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateFile="conf/cert.pem" certificateKeyFile="conf/privkey.pem" certificateChainFile="conf/chain.pem" /> </SSLHostConfig> </Connector>
Press CTRL+O to save changes and CTRL+X to exit from the editor.
Now, restart the Tomcat service to apply changes.
sudo systemctl restart tomcat
That’s it. You have configured Let’s Encrypt SSL with Tomcat.
The next step is to verify the setup.
Step 3 – Verify Tomcat SSL CertificateDefault tomcat with SSL listens on 8443 port. Use your domain with an 8443 port to access Tomcat over the secure socket layer.
- https://tomcat.tecadmin.net:8443
That’s it. You have successfully configured Let’s Encrypt SSL with Tomcat.
Step 4 – Renew SSL CertificateThe default Let’s Encrypt SSL certificates expire in 90 days. You can easily refresh your SSL certificate anytime within 30 days of expiration.
Type the below command to refresh the SSL certificate.
certbot certonly --standalone -d tomcat.tecadmin.net
Once successfully renewed. Copy the newly generated certificate files to the Tomcat conf directory.
cd /etc/letsencrypt/live/tomcat.tecadmin.net
cp {cert,chain,privkey}.pem /opt/tomcat/conf
Restart the Tomcat service to apply changes.
sudo systemctl restart tomcat
Conclusion
In this tutorial, You have learned to set up the Let’s Encrypt SSL certificate with the Tomcat web server. Additionally provides you with steps to renew your SSL certificate.