Cry for help! Windows/Tomcat/SSL/Let's Encrypt


Hello, I wonder if anybody could enlighten me on getting Tomcat to work correctly on Windows Server using a letsencrypt certificate? This is what I have so far - mostly working OK apart from the crucial part (of course)!

I have a Microsoft Azure VM running Windows Server 2012 - running really well. The VM is setup so that ports 80, 8080, 443 & 8443 are open. IIS can be accessed on the server - browsing to the default site at on port 80 (for test purposes!) works fine. After installation of a letsencrypt certificate, the IIS site can also be accessed on port 443 at with a nice green padlock in the address bar.

I installed Tomcat 8.5.8 and with the default Tomcat server.xml file, apps are available on port 8080, e.g. displays the Tomcat “success” page and displays a test app correctly.

As you might guess, I want the Tomcat apps available over SSL on port 8443 and that is where I am having problems. I believe it should be possible to use the existing letsencrypt certificate and a suitably modified Tomcat server.xml file to get this working, but no success with anything I’ve tried…in every case, connection to fails and times out…anybody got any pointers for the correct connector string in server.xml for port 8443 and the letsencrypt files?

All help gratefully received!



Did you read this?

Or more locally: How to use the certificate for Tomcat

Installing/Renewing Certificate for JIRA, in Windows

Thanks for the quick reply Osiris - I had read the official Apache howto but eventually my eyes glazed over. I hadn’t seen the second link so will look into it and report back. I am getting a message about the keystore being tampered with/wrong password in the Tomcat logs, so I will have a go at regenerating the keystore…



Progress, I think - at least I am not getting errors in the Tomcat logs any more. Here is what I did, for future reference:

  1. Installed Let’s Encrypt on a Mac in terminal app:
    git clone

  2. Generated certificate fles:
    letsencrypt-auto --agree-dev-preview --server certonly -a manual —debug

  • that gave files fullchain1.pem, cert1.pem, chain1.pem and privacy1.pem in directory /etc/letsencrypt/live/
  • I had to do chown’s and chmod’s to get to that directory and retrieve the .pem files
  1. Transferred the .pem files to the Windows Server VM

  2. On Windows command line:
    openssl pkcs12 -export -in fullchain1.pem -inkey privkey1.pem -out fullchain_and_key.p12 -name tomcat
    [password requested: entered twice and noted - it is shown as “password_from_4” in the text below…]

  3. On Windows command line:
    keytool -importkeystore -deststorepass password_from_4 -destkeypass password_from_4 -destkeystore MyDSKeyStore.jks -srckeystore fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass password_from_4 -alias tomcat

  4. Copied the keystore file MyDSKeyStore,jks to the Tomcat conf folder, i.e. C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf in my case

  5. Edited server.xml to include the following connector entry:

  6. Restarted Tomcat service - no errors in catalina log.

Browsing to still doesn’t work, but browsing to https://localhost:8443 gives the Tomcat “success” page, albeit with a red triangle in the address bar as shown on the attached screenshot. Looks like I am on the right track, but still some things to fix!


Installing/Renewing Certificate for JIRA, in Windows

The error in the screenshot is not strange of course: you’re surfing to localhost, a hostname which isn’t in the certificate :wink:


Indeed - and the fact that I don’t get anything when browsing to might suggest a firewall issue, which I will investigate further today…


Success! The Windows firewall was set up correctly, however the particular security endpoint rule for port 8443 in the Azure Portal for this server had somehow got an error in the source port range under its Advanced settings - correcting that fixed it and I now have a nice green padlock when browsing to port 8443. Now ready for the next server…

Thanks again for your help Osiris!



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.