My organization has a web application written in Java that is hosted on Apache Tomcat (8.5.35) on an Ubuntu 18.04 server. The web application is not a website, it’s a RESTful API. I am working on HTTPS enabling it and someone suggested Let’s Encrypt. I had previously HTTPS enabled it with a self-signed cert but it does throw warnings that we would like to avoid if possible. I am somewhat new to the world of encryption in web technology, however with the self-signed cert I was able to add the cert to a Java Keystore and reference that keystore in the server.xml file and it worked.
Looking through the Getting Started guide with Let’s Encrypt I see it mention virtual hosts and domain names, both of which I am not really sure we have. The server our solution is hosted on is meant to be within the intranet of a customer site behind a firewall. It will be referenced directly by an IP address and so I’m not really sure what the domain would be. In addition we are not using virtual hosts within apache.
So my question is, can we use Let’s Encrypt to HTTPS enable our web application? Can I get the certificate and import it into the Java Keystore like I did the self-signed one or is there another way? Can I use the certbot to maintain the cert or is that option not available in an implementation like this? I would be super grateful for any suggestions or help. I did search the forum and I didn’t see another question quite like this. Apologies if this topic has come up before.
For (1), my usual recommendation is to put Nginx, Apache, or Caddy in front of your Tomcat app as a reverse proxy. That way those web servers can handle incoming traffic, offer up the certificate, and pass traffic along to your app. You can also use off-the-shelf tools like Certbot to issue and renew your certificates. This is nicer than trying to set up Java to handle the incoming HTTPS requests directly, because (a) it’s a little challenging to get certificates into the format Java wants, and (b) web servers tend to have better default settings for handling traffic that misbehaves (either intentionally or by accident). For instance, they will generally time out connections, and limit the maximum sizes of requests.
For (2), Let’s Encrypt will only issue for domain names in the public DNS. So if the hosts where you deploy your app don’t have domain names on the public Internet, Let’s Encrypt won’t issue certificates for them. However, if they do have domain names on the public Internet, but just aren’t accessible from the Internet, you can use the DNS-01 challenge to issue certificates for them. Note that if you are planning for customers to deploy this behind their firewall this may be somewhat challenging.