Tomcat is lost after adding letsencrypt

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: stockdiv.com

I ran this command (in server.xml)

<Server port="8005" shutdown="SHUTDOWN">

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" connectionTimeout="1000000" scheme="HTTPS" sslProtocol="TLS" secure="true">
    <SSLHostConfig>
         <Certificate certificateFile="conf/cert.pem"
         certificateKeyFile="conf/privkey.pem"
         certificateChainFile="conf/chain.pem" />
     </SSLHostConfig> 
 </Connector>

It produced this output:
www.example.com:8080 to show tomcat manager is not loading at all.

Trying to shutdown tomcat fails for: SEVERE: Could not contact [localhost:8005] (base port [8005] and offset [0]). Tomcat may not be running.

After starting tomcat, I can’t really find it in the list of processes ps -ef | grep '[t]omcat'

And eventually, I have no idea how to make it work without the port.

My web server is (include version):
Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version):
ubuntu 18.04

My hosting provider, if applicable, is:
VPS

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Virtualmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

1 Like

Hi @amoss

I don't use Tomcat. But if nothing works: Perhaps your xml file is invalid, not a well formed xml file.

Open the xml file in your browser - then you see the content - or you see a validation error.

1 Like

Thanks, the XML looks valid and opens up completely with no problem

When starting tomcat it says it is started but I can’t find it in the running processes but maybe I’m doing something wrong with the search

2 Likes

After changing server.xml back to

Connector port="8080" protocol="HTTP/1.1" maxThreads="150"
                        connectionTimeout="1000000"

manager and war are back (war works only with http and 8080 port)

2 Likes

Update, the following

<Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8443" maxThreads="200" connectionTimeout="1000000"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/etc/letsencrypt/live/stockdiv.com/bundle.pfx" keystorePass="apassword"
           clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"/>

brings me to manager and the war using :8443 , how is it possible to ommit the port when accessing the war? As in https://domain:8443 for the manager and https://domain/mywar for the war?

One more related thing: I've used this solution (that works): Using let's encrypt with tomcat I understand that I need to renew it every 3 months, is there a way to automate this?

Thanks

2 Likes

There are some users with such automations.

Normally two different steps:

  • Certbot with certonly to create a certificate (via Cron job, certbot checks daily, renews the certificate if it is max. 30 days valid)
  • individual solution to create a certificate Tomcat is able to use.

But there are a lot of different Tomcat installations.

You can use the --deploy-hook of Certbot

https://certbot.eff.org/docs/using.html

to start such a script. Or check the Tomcat documentation. Sometimes there are newer solutions (better then old topics from 2016 / 2017).

1 Like

I must say that I’m new to linux/ubuntu so I don’t know a lot of things so please bear with me :slight_smile:

If I understand correctly, the pem files can be automated by certbot but there should be another step for generating the pfx file out of the pem files. Am I right? If not, please correct me, If I am, how can I automate this step?

Yes, that's the problem. Apache/nginx can use the pem files directly. Other software -> additional steps are required.

Different Tomcats, different solutions. That's the problem. There should be a tool to convert the private key and the pem -> run this with the correct files.

The overall mechanism that Certbot (which you're using to request the certificates) offers to handle this case is the "deploy-hook", which @JuergenAuer mentioned before. This is a feature where you can tell Certbot to run another program, normally a script that you wrote, after an updated certificate was successfully obtained.

This script would presumably run one of the PFX-creating recipes that people have come up with to create the new PFX file from the PEM files, and then it might perform some action to tell Tomcat to reload the certificate.

If you use a deploy-hook, Certbot will run this script automatically after renewals, so renewals can then be fully automated.

But so far, we don't have any official recommendation about what would go into the script. You could try doing the process manually yourself and write down all of the commands that you need to run, and then putting those into a script. :slight_smile:

In Unix you can create your own commands called shell scripts by putting a list of commands into a text file (similar to batch files on DOS, in case you've used those). There are lots of other ways that shell scripts can be made into a complete programming environment in their own right, but the basic form is just a list of commands, one command per line, which will then get run in order when the shell script is run. The shell script should normally begin with the special line

#!/bin/sh

(which indicates that it is a shell script as opposed to some other kind of executable text file), and be marked executable in the filesystem using a command like chmod +x.

1 Like

I might be wrong here but the first step is to create the pem files:
certbot certonly --standalone -d foo.example.com

The second step is to generate the PFX out of those files:
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:apassword

So basically I need a script file that will run both commands, after VirtualMin (which I’m using) runs his renewal process (every 2 months), right? That leads me to 2 questions:

  1. I remember the --standalone caused a problem and I needed to shut down something to make this work, the problem: I don’t remember what it was :slight_smile:
  2. How can I know when virtualmin ran his stuff? Maybe I can add my commands into his script?

Thanks

1 Like

Is Virtualmin using certbot renew?

It could be Tomcat. You can check with ss -ltp what program is listening to port 80 (which --standalone would need in order to prove your control of the domain).

With Certbot, you can also specify pre-hooks and post-hooks which are other scripts that will be run in order to (for example) shut down and restart other processes.

I have no idea how virtualmin renews the certs.

Assuming it was tomcat (or any other service for that matters), I could just add its stop and start to the script, no? The question is am I making sense with what I have written?

1 Like

Yes, that makes sense.

1 Like

I’ll ask Virtualmin community how to do that but in the meantime, I’ll go back to my original question, can I work with lets encrypt without using the port 8443 explicitly?

That's not a question of a certificate, it's a question of your application.

To create a certificate, you must (with http-validation) use port 80, perhaps a redirect to port 443.

But you can use the certificate with every port you want.

So check your application if it is possible to run that service on port 443. But then you need something like a switch in your application framework: "Go to the website" vs. "Go to that Connector".

1 Like

And how can I make such switch?
at the moment
https://example.com goes to my domain
https://example.com:8443 goes to tomcat’s manager
https://example.com:8443/mywar goes to my war

I guess that if I’ll change the connector to 443 instead of 443, as you said, I will lose one of them. If this is not the right forum, please let me know where this kind of question can be asked :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.