Certbot and Tomcat - Certificates Obtained but Not Converted to JKS and Configured with Tomcat (FIXED!)

sahsanu · May 22, 2017, 11:35am

renew command will renew your cert but won't install it in your keystore, you need to do it manually or you can automate it in the renew process but you should provide a script to perform the needed steps to recreate your keystore with the new cert and reload your tomcat.

You are using Nio Protocol so you can't use this directive SSLCertificateFile, this is only valid for APR Protocol.

First you need to renew your cert but you already did, the problem here is that you have generated several certs

CRT ID     DOMAIN (CN)  VALID FROM              VALID TO                EXPIRES IN  SANs
141619623  gpsowl.com   2017-May-21 03:03 CEST  2017-Aug-19 03:03 CEST  88 days     gpsowl.com
                                                                                    www.gpsowl.com

140104828  gpsowl.com   2017-May-18 04:12 CEST  2017-Aug-16 04:12 CEST  85 days     gpsowl.com

133064925  gpsowl.com   2017-May-05 03:13 CEST  2017-Aug-03 03:13 CEST  72 days     gpsowl.com
                                                                                    www.gpsowl.com

So you need to identify which is the right one, I think is the one containin domain and ww domain. I suppose that the right cert containing both domains is located at /etc/letsencrypt/live/gpsowl.com/ and the cert containing only your domain is located at /etc/letsencrypt/live/gpsowl.com-0001/

To identify how many domains contains your cert can use this:

echo | openssl x509 -in /etc/letsencrypt/live/gpsowl.com/cert.pem -noout -text | grep DNS:

echo | openssl x509 -in /etc/letsencrypt/live/gpsowl.com-0001/cert.pem -noout -text | grep DNS:

Once you have identified the right cert, you need to recreate the keystore with the new key and cert.

0.- Create a dir to store your keystore, I'm using /etc/tomcat8/keystore/ for this example, you should use the path that you want.

mkdir -p /etc/tomcat8/keystore/

1.- Create a pkcs12 store (change HERETHEPASSWORD with the password you want):

openssl pkcs12 -export -in /etc/letsencrypt/live/gpsowl.com/fullchain.pem -inkey /etc/letsencrypt/live/gpsowl.com/privkey.pem -out /etc/tomcat8/keystore/gpsowl.com.p12 -password pass:HERETHEPASSWORD

2.- Import pkcs12 store into a keystore (change HERETHEPASSWORD with the password used in previous command):

keytool -importkeystore -srckeystore /etc/tomcat8/keystore/gpsowl.com.p12 -srcstoretype pkcs12 -srcstorepass HERETHEPASSWORD -destkeystore /etc/tomcat8/keystore/gpsowl.com.keystore -deststoretype jks -deststorepass HERETHEPASSWORD

3.- Configure your tomcat to use the right keystore and pass:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true" URIEncoding="UTF-8"
keystoreFile="/etc/tomcat8/keystore/gpsowl.com.keystore"
keystorePass="HERETHEPASSWORD"
clientAuth="false" sslProtocol="TLS" />

4.- Restart or reload your tomcat.

I hope this helps.

Cheers,
sahsanu

Topic		Replies	Views
Certbot certonly renewed certificate, but openssl shows Certificate has expired Help	12	1819	January 2, 2022
Renew says "Cert not yet due for renewal" though it is more than 30 days old Client dev	12	80282	November 23, 2016
Renew certificate failed Help	5	2189	August 29, 2016
Certbot expired yet 'cert not yet due for renewal' Help	3	9649	October 9, 2017
Ssllabs says cert expired Jan 17th but Lets Encrypt says not due for renewal Help	13	1992	March 24, 2017

Certbot and Tomcat - Certificates Obtained but Not Converted to JKS and Configured with Tomcat (FIXED!)

Related topics