Secure WebSockets with Tomcat Servers


I put ssl certified in my system and requests for HTTPS are working very well, but i cant use secure websocket (ex: wss:// , it works only when I don’t use secure web socket (ws://). Are there some configurations to do to make lets encrypt allow me to use wss:// to call my websockets?


You could configure your web server to proxy web sockets. Modern versions of both Apache and Nginx are capable of doing so. Certbot can then automatically handle SSL for your websockets the same way it does for your HTTP connections.

If you don’t want to proxy websocket connections with your web server, you would need to manually configure your websocket server to listen for SSL and point it at your certificate and private key located in /etc/letsencrypt/live/

Thank you for your answer!

First I want to try manual configuration.

So, in my folder “/.letsencrypt/live/” (there isn’t a folder called live in my etc folder) there are 6 files, .ca, .crt, .csr, .key, *ca_.der and *cert_.der, which one do I need to use in my configuration? Is the .key?

I’m using tomcat, so i searched about configure ssl on tomcat, and I found this:

But I didn’t understand what i need to put in keystoreFile and keyPass.

Can you help me?

For Java things you have to make a JKS or a PKCS12 file.

To make the latter with certbot you run:

openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:not_so_secret

And automatically in a renew hook afterward if you’d like.

ETA: But your file structure suggests you’re using a different client than the recommended default.
Which is fine (so do I) but I have no idea what yours calls its files because even mine uses the same names as certbot. :wink:

How can i create jks file? With these comands? But where do I need to run these commands? In linux? I don’t have access in linux console in the server, just my serv files and flders by ftp. Sorry, but I’m not good in this kind of configurations.

And after create this .jks file, what do i have to put in passKey?

So your host gets your certificates from Let’s Encrypt for you? It’s kind of hard to automate then. That’s important because it will need to be done at least every three months.

If you can configure and restart tomcat you must be able to run openssl somehow though, if nothing else every time tomcat is started.

Yes, i can run and restart the tomcat. And, yes, my host gets the certificated for me. I just need to press a button each three months. But they does not configure the web socket to use lets encrypt, so i need to configure by myself.

But the problem is that i don’t have idea how to do that. Thats because i asked you how to create jks file and what i have to put in pass key.

Can you help me?

I was just suggesting that editing the tomcat start script so that it generated the keystore every time you started tomcat might be easier than doing it manually every three months.

The passphrase is anything you want it to be, just make it the same in both places.

I found a tutorial about JKS files on our forum here:

Someone more familiar with that method would have to help you with that if you run into trouble. Perhaps if you change your thread title to reference tomcat a Java expert might notice.

I’m far from a Java expert, so for the two tomcat servers and one jetty server I’m forced to administer, I just use openssl to generate PKCS#12 files as described in my earlier comment. Tomcat accepts these as a keystore format in addition to JKS, and they also work with Microsoft IIS so it’s one less command I have to remember.

Hi @Waazeved and @Patches

WebSockets are a protocol outside of HTTP/HTTPS

They are their own protocol in Tomcat configurations and you use a separate configuration stanza (apart from your normal HTTPS) to configure them


Both of you were very close



1 Like

My web socket connector in tomcat is this way:

<Connector port="5194" protocol="HTTP/1.1"
           redirectPort="5193" />

Https works fine to my system, but I didin’t find a connector with ssl configuration in my tomcat.
Is there any way to meke this web socket connector to point to ssl already configured to HTTPS ?

hi @Waazeved

Did you read the links above carefully?

I am sorry if it seems that I am being difficult - however I want you to understand what the plan of attack is so you can focus on the right areas.

You already have the JKS I assume so the next step is to setup your code in the correct way.

Some more pointers


Thank you for your answer. I will see this video and read again the links.

But the problem is that theres isn’t a .jks file in my server.

And I saw your “Tutorial - Java KeyStores (JKS) With Let’s Encrypt”, I created the files .JKS and .CSR, but I don’t have access in server’s console to execute the procedures about Certbot-Production.

byte[] certBytes = parseDERFromPEM( getBytes( new File( pathname + File.separator + "cert.pem" ) ), "-----BEGIN CERTIFICATE-----", "-----END CERTIFICATE-----" );
			byte[] keyBytes = parseDERFromPEM( getBytes( new File( pathname + File.separator + "privkey.pem" ) ), "-----BEGIN PRIVATE KEY-----", "-----END PRIVATE KEY-----" );

I understood the example you gave me, and I have 2 files “.der” in my server, but the problem is that I dont´t have the KEY and I don’t have permission to execute comands in server’s console.

Is there some way to create these files in my computer and after upload to my server somewhere? I ask this because I saw that Certbot-Production nees to be run in the server. Sorry, but I’m lost in this part.

Unfortunately, it is impossible to use a certificate on any server without the private key. Anyone on the Internet can find and download your certificate if they wanted, as it is necessary for them to securely transmit data to your server. It is the private key that enables you to negotiate connections with and securely transmit data to clients on the Internet.

If your hosting provider does not make the private key available to you, the best option for you in this situation would be to engage your web hosting provider’s support about setting up their web server to proxy your websockets for you. (It might be as easy as dropping an .htaccess file in your web directory, but only they would know whether they support this or not.)

Otherwise, you would have to create a new certificate that you do have the private key for to use for this purpose, which is difficult to do with Let’s Encrypt without shell access to the server.

So, if your webhost is unwilling or unable to make the private key accessible or set up their web server to proxy websockets, you would either need to purchase a certificate from a commercial CA or seek out a more flexible hosting provider.

hi @Waazeved

Just so you are aware, I am not going to provide anymore input on this thread.

The “challenge” you have of not being able to create the JKS on the server is solvable.

Instead of trying to present options (i have SFTP access to the server will that help), you seem to hope others will help you out (which we have done to a point).



I’ve tried asking for the key and password or shell access to my webhost, but they are not willing to help me. I will try to find a more flexible hosting provider.

Thank you for trying to understand my problem and your polite answer.

btw i plan to do this as a tutorial but will be using NGINX with websockets


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.