Installing HTTPS on Tomcat 7 with CentOS

I’m trying to get https for my domain, but I can’t figure out how to do this. The closest I got is when opening https://mydomainhere, getting the message saying my certificate is not safe.
I found and I wanted to try again, but I’m blocked for 7 days.
Question: in, I can download some .crt files (probably the ones I made, not sure how this works since I’m still a noob), but how can I install this? Even better: Can I install this in my server? If not, is there a way to unblock me so I can make this work?

I need to make this work ASAP.


Server config: Apache Tomcat 7.0.88, CentOS 7.
My domain is:
I can login to a root shell on my machine.

Bom dia @mateusscheper,

What method did you originally use to obtain your certificates? Did you use the sslforfree site or a different tool?

No, you also need the matching private key, which is the secret information that proves that the public certificate really refers to your server. The private key is not stored anywhere else; even the certificate authority doesn't know it. If you could install working certificates just based on public information available on, then anyone could set up a server to impersonate anyone else's server! The matching private key is the necessary additional information, and if you don't have it, then you can't use any of those certificates (just like someone else who doesn't know the private key can't use them).

Let's Encrypt has several different rate limits. You've reached the Duplicate Certificate rate limit, which applies when requesting multiple certificates that cover exact the same names.

This means that if you request certificates that cover an additional subdomain, they won't be blocked by this rate limit (although there is also a separate Certificates Per Registered Domain limit which you can reach if you issue too many certificates). The Duplicate Certificate limit is 5 certificates per week, while the Certificates Per Registered Domain limit is 20 certificates per week. Adding an additional subdomain to your certificates will get around the Duplicate Certificate limit, but not the Certificates Per Registered Domain limit.

We don't have any tools to reset the rate limit.

Hi, @schoen! Thanks for replying.

I’m not sure what method originated this key.jks, but it’s not
I already tried certbot-auto, letsencrypt-auto, and some others that I found on several forums around our beloved internet.

About the rate limits, Is there a way to make it just for testing? I reard about the -staging command, but I don’t remember how to use it.

If you were in my place, how would you make the https work in your server from scratch?

Since the issuance succeeded, do you have copies of any of the certificates (and private keys) that they created? Maybe the certificates are just sitting around on your hard drive but not being used by your web server?

For instance, if you use certbot certonly (or any of the other names of the Certbot client with certonly), then you obtain the certificate but don't install it, so you still have to edit web server configuration files in order to install the certificate that you've issued. (Some system administrators strongly prefer this method because they're accustomed to administering their web server primarily by editing its configuration files with a text editor.)

With Certbot you can use --staging which uses the testing server, which doesn't count against your regular rate limits. Other applications should have a similar method.

As an expert Let's Encrypt user, I would use Certbot to issue a new certificate that covers the main domain and an additional subdomain in order to circumvent the rate limit. :slight_smile:

As a novice Let's Encrypt user, I would pick one particular Let's Encrypt client application and try to make it work using that application. If it didn't work, I would immediately ask on the forum about what the problem was, explaining which Let's Encrypt client application I used, how I ran it, and what error messages, if any, I encountered. Then probably other forum users would help me debug the process. :slight_smile: If I just switched to a completely different method every time I encountered a problem, even though the certificate issuance had already taken place, I would probably quickly run into rate limits...

I'm sorry, I didn't mean to be rude. I just asked to see how an expert would work in my place.
Since I'm new on this, I thought there was only one way to do it, but later I discovered that there are several ways, so I thought I could be doing the wrong one.

I have a few ones, but I'm not sure they are the files we need.

[root@mateuscentos ~]# find / -name '*.pem'
/opt/                                                                                                                     t.pem
/opt/                                                                                                                     ns.pem
/opt/                                                                                                                     ns.pem
/opt/                                                                                                                     em
/opt/                                                                                                                     an.pem
/opt/                                                                                                                     s.pem
/opt/                                                                                                                     pem
/opt/                                                                                                                     s.pem
/opt/                                                                                                                     .pem
/opt/                                                                                                                     m
/opt/                                                                                                                     .pem
/opt/                                                                                                                     y.pem
/opt/                                                                                                                     rt.pem
/opt/                                                                                                                     y.pem
/opt/                                                                                                                     .pem
/opt/                                                                                                                     .pem
/opt/                                                                                                                     .pem
/opt/                                                                                                                     .pem
/opt/                                                                                                                     .pem
/opt/                                                                                                                     pem
/opt/                                                                                                                     m
/opt/                                                                                                                     pem
/opt/                                                                                                                     em
/opt/                                                                                                                     em
/opt/                                                                                                                     pem
/opt/                                                                                                                     .pem
/opt/                                                                                                                     pem
/opt/                                                                                                                     em
/opt/                                                                                                                     em
/opt/                                                                                                                     t-5sans_512.pem
/opt/                                                                                                                     t-san_512.pem
/opt/                                                                                                                     t_2048.pem
/opt/                                                                                                                     t_512.pem
/opt/                                                                                                                     t_512_bad.pem
/opt/                                                                                                                     t_fullchain_2048.pem
/opt/                                                                                                                     -6sans_512.pem
/opt/                                                                                                                     -nonames_512.pem
/opt/                                                                                                                     -nosans_512.pem
/opt/                                                                                                                     -san_512.pem
/opt/                                                                                                                     _512.pem
/opt/                                                                                                                     2048_key.pem
/opt/                                                                                                                     256_key.pem
/opt/                                                                                                                     512_key.pem
/opt/                                                                                                                     ple-archive/cert1.pem
/opt/                                                                                                                     ple-archive/chain1.pem
/opt/                                                                                                                     ple-archive/fullchain1.pem
/opt/                                                                                                                     ple-archive/privkey1.pem

How could we change the server.xml to include the right files?
Right now, my server.xml is this:

Connector port="443" protocol="HTTP/1.1"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/home/mateusscheper/key.jks" keystorePass="passhere"
clientAuth="false" sslProtocol="TLS" />

Again, sorry if I seemed rude before.

I didn’t consider your question rude, so please don’t worry about that.

Only the files in /etc/letsencrypt/live are meant to be used directly. As your Tomcat uses a JKS keystore, you have to regenerate the keystore whenever your certificate is renewed in order to allow Tomcat to see the new certificates and keys (because Tomcat wouldn’t know to look in /etc/letsencrypt/live). If you don’t regenerate the JKS keystore, Tomcat won’t know about the renewal because the old JKS will still contain the old certificates and keys.

There are lots of threads on this forum that give advice for creating a JKS file, normally using the openssl pkcs12 command. If you have this working, you could make a shell script that exports the appropriate items in /etc/letsencrypt/live to JKS format, and then you could run this script automatically with Certbot renewals using the --deploy-hook option.

Perhaps we should write some specific documentation about this case since it appears to be relatively frequently requested.

Unfortunately, I don’t have anything in /etc/letsencrypt/live. In my other server I do, but I’m not sure it would work if I only copied the files from one server to another. There I have a file called “MyDSKeyStore.jks” that I made using this method.
I copied it to my CentOS server just to see what happens and I’m getting this message saying my certificate is not safe:

Do you have a machine on which you got a currently valid certificate using Certbot? If so, can you create the JKS file on that machine using the current versions of the files on that machine?

Also note that if you access your server as instead of, you’ll always get a certificate error from the browser, whether or not the certificate is expired, because the browser uses the hostname in the URL for checking certificate validity. Let’s Encrypt would never include as a name in any certificate, so that name could never match the certificate.

Although there are various arguments in favor of obtaining the certificate on the same machine where it's going to be used, there's nothing server-specific about certificates and keys. I believe the error that you see is just because you accessed the server under the name, which isn't a name listed in the certificate. Browsers won't accept certificates as valid unless you're accessing the server using one of the names that's specifically listed in the certificate.

However, if your old certificate was expired and the certificates that you copied are newer, you would also have to regenerate the MyDSKeyStore.jks, unless it was already updated with the most recent certificate and key data.

Ok, the certificate I had somewhere in my HD worked.

Right now, I’m using the domain and the HTTPS worked too.
I did these commands:

certbot-auto certonly

cd /etc/letsencrypt/live/

openssl pkcs12 -export -out keystore.pkcs12 -in fullchain.pem -inkey privkey.pem

keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks

nano /usr/share/apache-tomcat-7.0.88/conf/server.xml

Edited the Connector to my new keystore.jks file and password

service tomcat restart


Thank you very much for your time, Sir.
I would send you a cookie, but I still don’t know how to send objets via mail.

Btw, to renew my certificate automatically, how do I use the command ‘certbot-auto certonly’? ‘certbot-auto renew certonly’ maybe?
I was thinking about using a script to to these steps again near the end of the certificate, but I read somewhere that the certbot-auto has an option to renew automatically.

1 Like


Just run sudo certbot renew, then restart your https services.

Thank you

1 Like

You can also write a shell script to recreate the JKS file after a renewal, and then you can run that shell script from Certbot by specifying it as a --deploy-hook.

(If you restart Tomcat without also recreating the JKS file, it won’t notice the presence of the new certificates, because it only reads the JKS file.)

1 Like

Thank you, guys. I can finally move on. :grin:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.