Using let's encrypt with tomcat


#1

So i need to install ssl on tomcat and with self signed certificates we get not secure message, i tried to get the ssl working with pem keys from let’s encrypt that i have on my website, so is there a way to get you CA working on tomcat too?


Apache2 https to Tomcat8 https 8443 connector?
Let's Encrypt for intranet subdomain
`certbot-auto` can't find certificates after obtaining (a working) one (Debian 8, Tomcat 9)
#2

Tomcat uses either Java keystore files or pfx files. Personally, I find the latter easier to deal with, but if you prefer to use Java keystore files, there is a guide here.

To generate a PFX file, with certificates already issued by certbot:

cd /etc/letsencrypt/live/yourdomain.com
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:apassword

You can also do this in a renew hook too so you don’t have to do it manually every three months.

Then, configure tomcat to use it, e.g.:

<Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/etc/letsencrypt/live/yourdomain.com/bundle.pfx" keystorePass="apassword"
           clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"/>

If you don’t have a certificate yet and tomcat is listening on port 80, you can obtain one with the http-01 verification method, e.g.

sudo certbot certonly --webroot -w /path/to/tomcat/webapps -d yourdomain.com -d www.yourdomain.com

EDIT: I updated the tomcat configuration with sahsanu’s advice downthread.


Configuring Let’s Encrypt with Tomcat 8 on Debian 9
Creating Keystore/Certificate for Tomcat
Could you share steps for tomcat 7 on Ubuntu?
Cert is not being created - when using certbot-auto certonly ... the process stops at yum is /usr/bin/yum
How to use generated certificates with tomcat
Renewal of certificate is failing on Tomcat
The request message was malformed :: Error creating new order :: DNS name does not have enough labels
#3

Hello i tried this solution but website won’t launch, then i tried to do the guide but when i’m trying to connect with
TXT Records it won’t work, and i reached the limit. Any other solution?


#4

Please paste the contents of your catalina.out log file so we can figure out what went wrong.

If you’ve reached the limit you have at least five valid certificates on your local machine, so please make sure you don’t delete any certificates from /etc/letsencrypt so you are not stuck for a week.


#5

This is the catalina.out:

Aug 29, 2017 8:57:19 AM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[org.apache.coyote.http11.Http11NioProtocol-8443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[org.apache.coyote.http11.Http11NioProtocol-8443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:624)
at org.apache.catalina.startup.Catalina.load(Catalina.java:649)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:450)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:976)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
… 12 more
Caused by: java.io.FileNotFoundException: /etc/letsencrypt/live/famousgadget.pt/bundle.pfx (Permission denied)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.(FileInputStream.java:146)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:400)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:306)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:565)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:490)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:610)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:423)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:974)
… 13 more

Aug 29, 2017 8:57:19 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 2371 ms
Aug 29, 2017 8:57:19 AM org.apache.catalina.core.StandardService startInternal
INFO: Starting service Catalina
Aug 29, 2017 8:57:19 AM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.28
Aug 29, 2017 8:57:19 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/lib/tomcat7/webapps/birt-viewertest
Aug 29, 2017 8:57:21 AM org.apache.catalina.startup.TaglibUriRule body
INFO: TLD skipped. URI: http://www.eclipse.org/birt/taglibs/birt.tld is already defined
Aug 29, 2017 8:57:30 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/lib/tomcat7/webapps/birt-runtime-4_4_1
Aug 29, 2017 8:57:31 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/lib/tomcat7/webapps/JavaBridge
Aug 29, 2017 8:57:33 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/lib/tomcat7/webapps/ROOT
Aug 29, 2017 8:57:33 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler [“http-bio-8082”]
Aug 29, 2017 8:57:33 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 13837 ms


#6

The user tomcat is running as does not have access to the pfx file. You could copy it to the tomcat directory or set an acl granting the appropriate user account access.


#7

I did it now i get the following log:

Aug 31, 2017 8:20:49 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/lib/tomcat7/webapps/.well-known
Aug 31, 2017 8:25:43 AM org.apache.coyote.AbstractProtocol pause
INFO: Pausing ProtocolHandler [“http-bio-8082”]
Aug 31, 2017 8:25:43 AM org.apache.coyote.AbstractProtocol pause
INFO: Pausing ProtocolHandler [“http-nio-8443”]
Aug 31, 2017 8:25:43 AM org.apache.catalina.core.StandardService stopInternal
INFO: Stopping service Catalina
Aug 31, 2017 8:25:43 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads
SEVERE: The web application [/JavaBridge] appears to have started a thread named [JavaBridgeFastCGIRunner] but has failed to stop it. This is very likely to create a memory leak.
Aug 31, 2017 8:25:43 AM org.apache.coyote.AbstractProtocol stop
INFO: Stopping ProtocolHandler [“http-bio-8082”]
Aug 31, 2017 8:25:43 AM org.apache.coyote.AbstractProtocol destroy
INFO: Destroying ProtocolHandler [“http-bio-8082”]
Aug 31, 2017 8:25:43 AM org.apache.coyote.AbstractProtocol stop
INFO: Stopping ProtocolHandler [“http-nio-8443”]
Aug 31, 2017 8:25:43 AM org.apache.coyote.AbstractProtocol destroy
INFO: Destroying ProtocolHandler [“http-nio-8443”]
Aug 31, 2017 8:25:47 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [“http-bio-8082”]
Aug 31, 2017 8:25:47 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [“http-nio-8443”]
Aug 31, 2017 8:25:47 AM org.apache.coyote.AbstractProtocol init
SEVERE: Failed to initialize end point associated with ProtocolHandler [“http-nio-8443”]
java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
at java.security.KeyStore.load(KeyStore.java:1214)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:407)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:306)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:565)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:490)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:610)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:423)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:974)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:624)
at org.apache.catalina.startup.Catalina.load(Catalina.java:649)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:450)

Aug 31, 2017 8:25:47 AM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[org.apache.coyote.http11.Http11NioProtocol-8443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[org.apache.coyote.http11.Http11NioProtocol-8443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:624)
at org.apache.catalina.startup.Catalina.load(Catalina.java:649)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:450)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:976)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
… 12 more
Caused by: java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
at java.security.KeyStore.load(KeyStore.java:1214)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:407)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:306)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:565)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:490)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:610)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:423)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:974)
… 13 more

Aug 31, 2017 8:25:47 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 2204 ms
Aug 31, 2017 8:25:47 AM org.apache.catalina.core.StandardService startInternal
INFO: Starting service Catalina
Aug 31, 2017 8:25:47 AM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.28
Aug 31, 2017 8:25:47 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/lib/tomcat7/webapps/birt-viewertest
Aug 31, 2017 8:25:49 AM org.apache.catalina.startup.TaglibUriRule body
INFO: TLD skipped. URI: http://www.eclipse.org/birt/taglibs/birt.tld is already defined
Aug 31, 2017 8:25:56 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/lib/tomcat7/webapps/birt-runtime-4_4_1
Aug 31, 2017 8:25:58 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/lib/tomcat7/webapps/.well-known
Aug 31, 2017 8:25:59 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/lib/tomcat7/webapps/JavaBridge
Aug 31, 2017 8:26:00 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/lib/tomcat7/webapps/ROOT
Aug 31, 2017 8:26:00 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler [“http-bio-8082”]
Aug 31, 2017 8:26:01 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 13275 ms


#8

Do you have keystoreType="JKS" or so in your <Connector>?

If so, change it to PKCS12 or remove the attribute completely and it will autodetect it.

[I deleted this because I could totally believe @sahsanu that it was required, but then I remembered that I switched my UniFi controller from JKS to PKCS12 without touching its Tomcat configuration, so maybe it depends on the Tomcat version? At any rate, being explicit won’t hurt, so do what he says.]


#9

Hi @horus.developer,

Following @Patches example conf, try to add keystoreType="PKCS12" to the conf and try again.

<Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreType="PKCS12" keystoreFile="/etc/letsencrypt/live/yourdomain.com/bundle.pfx" keystorePass="apassword"
           clientAuth="false" sslProtocol="TLS"/> 

Cheers,
sahsanu


#10

Hello all!
Thank you very much!! It’s working!

Have a nice day!


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.