Configuring Let's Encrypt for Tomcat 8.x on Ubuntu 16.10


#1

I want to disable ssl , already reinstall OS and tomcat , but when I try to access my site use www.xxx.com https shows, and my site not accessible . I want to know how can I remove ssl and restore my site to http .


#2

You might be seeing an effect from your browser cache, where your browser remembers that the site was last accessed in HTTPS and hence thinks that’s the right way to access it. You can double-check with a different browser or a different computer.


#3

Hi @chnchyl,

If you have had your OS reinstalled and have not issued a new cert for your domain, in my opinion, the only explanation is that you configured your web server to provide a HSTS header and your browser has cached it so when you try to access your domain, the browser automatically tries to reach the https version.

Try it with another browser which you have never accessed your domain with or clean your current browser’s cache and try again.

If you provide the real domain we can try it for you.

Cheers,
sahsanu


#5

www.mcloudy.com this one
it is cached issue thank you .
and one more thing , my site base on tomcat8 , ubuntu 16.10 what command I should use to get ssl ?
I use below one ,but got error message .
certbot certonly --webroot -w /var/lib/tomcat8/webapps/ -d www.mcloudy.com

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.mcloudy.com
Using the webroot path /var/lib/tomcat8/webapps for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.mcloudy.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.mcloudy.com/.well-known/acme-challenge/Rvd6i4_vyvgBrB_S3OVpvIg75j8xeu-h5nxqFE4vn3s: “Apache Tomcat/8.0.37 (Ubuntu) - Error reportH1 {font-family:Tah”

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.mcloudy.com
    Type: unauthorized
    Detail: Invalid response from
    http://www.mcloudy.com/.well-known/acme-challenge/Rvd6i4_vyvgBrB_S3OVpvIg75j8xeu-h5nxqFE4vn3s:
    “Apache Tomcat/8.0.37 (Ubuntu) -
    Error reportH1 {font-family:Tah”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.


#6

it is the cache issue ,.Thank you .
my site base on tomcat8 ubuntu 16.10 which command I should use to get ssl ?
I use
certbot certonly --webroot -w /var/lib/tomcat8/webapps/ -d www.mcloudy.com
it dosen’t work got error message .


#7

Hi @chnchyl,

The first thing you should check is that the challenge can be accessed by anyone so to test it:

1.- Create the right directories on your document root

mkdir -p /var/lib/tomcat8/webapps/.well-known/acme-challenge/

2.- Create a test file

echo -n "this is a test" > /var/lib/tomcat8/webapps/.well-known/acme-challenge/test

3.- Test that you can reach this test file.

You can test it from command line:
curl -i http://www.mcloudy.com/.well-known/acme-challenge/test

or using your web browser:
http://www.mcloudy.com/.well-known/acme-challenge/test

You should see the text “this is a test”, if you see a 404 not found error or any other thing is because the document root is not correct and you should review it.

If you already get the right test then you should try to execute again the same certbot command you tried before.

Cheers,
sahsanu


#8

Hi @sahsanu
it works and got below message:
but it doesn’t show https:// in url . I’ve changed /etc/tomcat8/server.xml
is there anything else I should do to make this license work ?

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.mcloudy.com
Using the webroot path /var/lib/tomcat8/webapps for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Unable to clean up challenge directory /var/lib/tomcat8/webapps/.well-known/acme-challenge
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/www.mcloudy.com/fullchain.pem. Your cert will
    expire on 2017-08-04. To obtain a new or tweaked version of this
    certificate in the future, simply run certbot again. To
    non-interactively renew all of your certificates, run “certbot
    renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le


#9

Hi @chnchyl,

Congratulations, you get your first certificate ;).

Yes, you should do a few things and configure tomcat to use the certificate is not straight forward.

<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" />

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />

As per your configuration you are using Nio Protocol so you must use a keystore. You need to import the issued certificate, the intermediate certificate and the private key into the keystore and then configure your connector with the appropiate directives.

You have another option, instead of use Nio Protocol you can use APR so there is no need to use a keystore and you can use the pem files created by certbot.

And there is even a third option and should be the easiest to automatize. Instead of use tomcat directly listening on port 80 and 443, you could use apache or nginx web servers to act as a reverse proxy so the ssl will be managed by them instead of tomcat.

It is up to you to choose the best option for your web site so I’ll let you research it. If I’ve time I’ll put here a mini-guide to use it with APR but meanwhile, try to check the doc available.

Note: Keep in mind, vailidity for Let’s Encrypt certificates is 90 days so you need a way to automate the procedure to renew the certs or remember to re-issue your certs manually before the cert expires.

Cheers,
sahsanu


#11

Hi @sahsanu,
Thank you , I use apache and it works , but I still face some wired issue , for example ,
https://www.mcloudy.com/news?id=1
https://www.mcloudy.com/news?id=2
when this ssl works , URL will show green lock and says secure, but for these 2 URLs, the first one not secure, the second one is secure , is this normal ?


#12

Hi @chnchyl,

I see you have made progress :+1: ;), you are almost there.

The second link is secure but you are not seeing a green padlock in your browser because it uses a mixed content. When a page uses https, ALL the links, images, etc. that it uses should be https too. If you use a link for example to an image and uses http instead of https you will see that warning icon in your browser.

The issue in your second link is that you are using an image “Justice League” pointing to another domain with http:

This one http://img5.mtime.cn/pi/2016/10/13/083833.92379510_1000X1000.jpg should be https://img5.mtime.cn/pi/2016/10/13/083833.92379510_1000X1000.jpg

Change that in your web site code and you’ll be fine.

Next time, you can use this page https://www.whynopadlock.com/ to check your site. Open it, and in the search box write the url where you are having this warning and it will tell you what are the wrong references that are using http instead of https in your site.

Cheers,
sahsanu


#13

Hi @sahsanu,
Thank you very much .:grin:


#14

Hi @sahsanu
Now I have one SSL license , and I also want to use squid make a proxy , can I use this very license to do both proxy and apache reverse proxy ? I don’t know whether I can use apache to do this proxy and reverse proxy ,so I choose squid , this might be easy for me .


#15

@chnchyl, I don’t use Apache as a “normal” proxy nor Squid so I’ve no advice to you but I see no problem, your cert should be valid to be used with Squid.


#16

Thank you @sahsanu :grin:


#17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.