Hello, I wonder if anybody could enlighten me on getting Tomcat to work correctly on Windows Server using a letsencrypt certificate? This is what I have so far - mostly working OK apart from the crucial part (of course)!
I have a Microsoft Azure VM running Windows Server 2012 - running really well. The VM is setup so that ports 80, 8080, 443 & 8443 are open. IIS can be accessed on the server - browsing to the default site at http://portal.example.com on port 80 (for test purposes!) works fine. After installation of a letsencrypt certificate, the IIS site can also be accessed on port 443 at https://port.example.com with a nice green padlock in the address bar.
As you might guess, I want the Tomcat apps available over SSL on port 8443 and that is where I am having problems. I believe it should be possible to use the existing letsencrypt certificate and a suitably modified Tomcat server.xml file to get this working, but no success with anything I’ve tried…in every case, connection to https://portal.example.com:8443 fails and times out…anybody got any pointers for the correct connector string in server.xml for port 8443 and the letsencrypt files?
Thanks for the quick reply Osiris - I had read the official Apache howto but eventually my eyes glazed over. I hadn’t seen the second link so will look into it and report back. I am getting a message about the keystore being tampered with/wrong password in the Tomcat logs, so I will have a go at regenerating the keystore…
that gave files fullchain1.pem, cert1.pem, chain1.pem and privacy1.pem in directory /etc/letsencrypt/live/portal.kalvista.com
I had to do chown’s and chmod’s to get to that directory and retrieve the .pem files
Transferred the .pem files to the Windows Server VM
On Windows command line:
openssl pkcs12 -export -in fullchain1.pem -inkey privkey1.pem -out fullchain_and_key.p12 -name tomcat
[password requested: entered twice and noted - it is shown as “password_from_4” in the text below…]
On Windows command line:
keytool -importkeystore -deststorepass password_from_4 -destkeypass password_from_4 -destkeystore MyDSKeyStore.jks -srckeystore fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass password_from_4 -alias tomcat
Copied the keystore file MyDSKeyStore,jks to the Tomcat conf folder, i.e. C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf in my case
Edited server.xml to include the following connector entry:
Restarted Tomcat service - no errors in catalina log.
Browsing to https://port.example.com still doesn’t work, but browsing to https://localhost:8443 gives the Tomcat “success” page, albeit with a red triangle in the address bar as shown on the attached screenshot. Looks like I am on the right track, but still some things to fix!
Indeed - and the fact that I don’t get anything when browsing to https://portal.example.com:8443 might suggest a firewall issue, which I will investigate further today…
Success! The Windows firewall was set up correctly, however the particular security endpoint rule for port 8443 in the Azure Portal for this server had somehow got an error in the source port range under its Advanced settings - correcting that fixed it and I now have a nice green padlock when browsing to port 8443. Now ready for the next server…
