How To Secure Tomcat with Let's Encrypt SSL

Let’s Encrypt is a certificate authority that provides valid SSL certificates to be used for the web application. It provides certificates freely for everyone with some restrictions.

Security first should be the thumb rule for any organization to secure your hard-working code from hackers. It becomes more important while traveling application data over public networks. For this situation, we need to implement end-to-end encryption using TLS.

This tutorial helps you to issue a new let’s encrypt SSL certificate and configure it with the Tomcat web server.

Prerequisites

This tutorial doesn’t cover the Tomcat installation. We are assuming that you already have a Tomcat server running on your system. You can visit Tomcat installation tutorials.

Step 1 – Installing Certbot

Certbot is a command-line utility to create and manage Let’s Encrypt SSL certificates. Which is available for most of the operating systems.

Debian-based users can install certbot by running the following command. Other operating system users can install it from here.

sudo apt install certbot 

Next, create the SSL certificate for your domain. Make sure the domain is already pointed to the tomcat server from DNS. For this tutorial, I am using the tomcat.tecadmin.net subdomain.

sudo certbot certonly --standalone -d tomcat.tecadmin.net 

Once the certificate issued, you can see all the related files at below location:

sudo ls /etc/letsencrypt/live/tomcat.tecadmin.net/ 

Output
cert.pem  chain.pem  fullchain.pem  privkey.pem  README

These are all the files you need for the SSL certificate setup.

Step 2 – Configure Tomcat with Let’s Encrypt SSL

Next, configure your Tomcat server to listen on the secure protocol. By default, Tomcat uses 8443 to listen for SSL/TLS requests.

Copy SSL certificate’s and private key files under /opt/tomcat/conf directory:

cd /etc/letsencrypt/live/tomcat.tecadmin.net 
sudo cp {cert,chain,privkey}.pem /opt/tomcat/conf/ 

Then edit the conf/server.xml file available under the Tomcat home directory. In my case Tomcat is installed under /opt/tomcat, So use the below command to edit the configuration file.

sudo nano /opt/tomcat/conf/server.xml 

Remove <!-- and --> to uncomment the following section in configuration file. Also add the certificate section with your certificate files. The configuration will be look like:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateFile="conf/cert.pem"
                 certificateKeyFile="conf/privkey.pem"
                 certificateChainFile="conf/chain.pem" />
        </SSLHostConfig>
    </Connector>

Press CTRL+O to save changes and CTRL+X to exit from the editor.

Now, restart the Tomcat service to apply changes.

sudo systemctl restart tomcat 

That’s it. You have configured Let’s Encrypt SSL with Tomcat.

The next step is to verify the setup.

Step 3 – Verify Tomcat SSL Certificate

Default tomcat with SSL listens on 8443 port. Use your domain with an 8443 port to access Tomcat over the secure socket layer.

• https://tomcat.tecadmin.net:8443

That’s it. You have successfully configured Let’s Encrypt SSL with Tomcat.

Step 4 – Renew SSL Certificate

The default Let’s Encrypt SSL certificates expire in 90 days. You can easily refresh your SSL certificate anytime within 30 days of expiration.

Type the below command to refresh the SSL certificate.

certbot certonly --standalone -d tomcat.tecadmin.net 

Once successfully renewed. Copy the newly generated certificate files to the Tomcat conf directory.

cd /etc/letsencrypt/live/tomcat.tecadmin.net 
cp {cert,chain,privkey}.pem /opt/tomcat/conf 

Restart the Tomcat service to apply changes.

sudo systemctl restart tomcat 

Conclusion

In this tutorial, You have learned to set up the Let’s Encrypt SSL certificate with the Tomcat web server. Additionally provides you with steps to renew your SSL certificate.