Options for Obtaining Let's Encrypt Certificate with Apache Tomcat

Im running an alfresco server in a local machine but have other server with other service running on the office that is using port 80. Im using port 443 port forwarding in router to use alfresco but without a certificate for now.
Im trying to use letsencrypt to get a certificate from this machine. I tried with port 443 only, but certbot says it does not talk TLS, only HTTP. So i create a virtualhost on port 81 but it didnt work.

Yes, i read about this in other posts, and certbot needs port 80. Period.

But because this is a local server and have full access to router and everything maybe i can do something to automate renewal? Can you please advice me about the posibilities i have?

Thank you

No, certbot does not need port 80. Period. Certbot needs either port 80, or port 443, or control over your DNS records. But if you want to use the DNS challenge, some of the alternate clients like acme.sh and dehydrated seem to have better support for automating that challenge.

The error message you got when trying port 443 indicates that your web server was misconfigured; the port 443 challenge requires your server to provide a TLS certificate matching a cryptographically-determined hostname.

So i have to create a self-signed certificate. right?

If you’re going to use the TLS-SNI challenge, your server needs to speak TLS on port 443, which means it needs a certificate. If you don’t already have one, then yes, you’ll need to create a self-signed certificate. Certbot will create the validation certificate used during the challenge.

@danb35 thanks for your response.

Im listening on port 443 and have SSL engine enabled for the vhost im trying to create the certificate. From your last response i have not clear if i have to create the certificate manually or certbot do the job. I this is the case (certbot creates a temporary self-signed certificate) i dont know what the problem is.

To use the TLS-SNI validation on port 443, your server needs to be speaking TLS on port 443. To do that, it must already have a certificate. Certbot will generate a second certificate, which it will use for validation.

And neither do we, since you haven't given us any indication of what you've done this time around, or what the result was.

Another way of describing this is that the temporary self-signed certificate that Certbot creates during the verification process is separate from, and additional to, the self-signed certificate that you might need for your web server to speak HTTPS on port 443 in the first place.

Thank you for clarification @schoen. Problem here is i have an apache redirection using JK_mod to use tomcat in port 443 with a valid cert. If im trying to use this port for this and port 80 is used by other server, the only way is disabling redirection every time i have to renew the certificate. Is that right?

I’m afraid I didn’t quite understand your setup from what you wrote.

Redirection at the HTTP level is no problem if the server that’s the target of the redirection can be made to serve files out of a directory; then you can use --webroot. If that’s not your situation, maybe you could try describing it one more time, in terms of which machines exist, what software each one run, and what happens when an inbound connection comes in on either port 80 or port 443.

Sorry i read again my answers and really i dont explain the thing very well. Thanks for your patience.

This is a LAN in my office, our ISP provide us free static public IP so we installed two servers. One server is running some ERP software and need to be listening on port 80. I did a port forwarding (NAT) in the router and configure a subdomain to point to the office IP. This is working for some time and we cant change the port for this service now.

The second server its why im trying to configure now. I want to create an Alfresco server. Alfresco uses Tomcat (ports 8080 and 8443 by default) but i cant use tomcat with a letsencrypt certificate (i think) without using a web server like apache or nginx. So, Im trying to do a redirection (maybe its not called a redirection) from the apache server listening on port 443 to Tomcat using JK_mod (Also have a port forwarding setup in router for this).

I dont know the details about this communication between both servers tomcat and apache. But i think if this kind of redirection is working server can not be validated so tomcat dont serve a directory.

So i think i have to disable this kind of redirection to temporary serve a directory and do the challenge using port 443. When certificate renewal is complete i can enable redirection to tomcat again. Is this right? maybe there is other way to automate this that i dont know.

I really appreciate your help.

Hi @borjaevo,

Thanks for the more detailed description of your setup. People have succeeded in using Let’s Encrypt directly with Tomcat servers before, but I agree that it would be difficult to use the Tomcat server to obtain the certificate in this particular configuration.

So, here are three options:

  • If you administer the server with the ERP software and it has a web server of some kind whose configuration you can affect, you could make it redirect http://example.com/.well-known/acme-challenge/ to some other port (which will actually be answered by the Alfresco machine). This will allow you to pass the HTTP-01 challenge on the Alfresco machine, because the certificate authority will follow the redirection and so retry the request on the other port. You don’t have to change or disable anything else on the ERP software machine, and the existence of this redirection shouldn’t interfere with the existing application there.

  • If you can temporarily shut down Tomcat (probably for about 20 seconds at a time) while obtaining the certificate, the --standalone method in Certbot should be able to obtain the certificate. There are features called --pre-hook and --post-hook which you can use to add commands to stop and then restart Tomcat. This does produce an outage every time the certificate needs to be renewed, but probably a rather brief outage.

  • If you can control the DNS zone for your domain, ideally via a DNS provider API, and add new DNS entries into your zone, then you can perform the validation through DNS. The acme.sh client has the broadest range of support for this option overall.

Hopefully one of these methods will work for you. I’m sure people here can offer more suggestions if you need help with any of them.

1 Like

Also, hopefully people don’t currently have to log into the ERP system over insecure HTTP! If they do, maybe you can look into proxying that machine with your new Tomcat server.

Im gonna try your first option. No sure how to do it, but i will do some research. Thanks!

And certbot will use a separate, custom and temporary virtualhost configuration file for that purpose. So the only thing required is the possibility for Apache to do TLS (i.e., installed mod_ssl). Therefore, there's no need to configure a virtualhost with a self-signed certificate.

Ah, thanks for the clarification.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.