Using let's encrypt with tomcat

Tomcat uses either Java keystore files or pfx files. Personally, I find the latter easier to deal with, but if you prefer to use Java keystore files, there is a guide here.

To generate a PFX file, with certificates already issued by certbot:

cd /etc/letsencrypt/live/
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:apassword

You can also do this in a renew hook too so you don’t have to do it manually every three months.

Then, configure tomcat to use it, e.g.:

           port="443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/etc/letsencrypt/live/" keystorePass="apassword"
           clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"/>

If you don’t have a certificate yet and tomcat is listening on port 80, you can obtain one with the http-01 verification method, e.g.

sudo certbot certonly --webroot -w /path/to/tomcat/webapps -d -d

EDIT: I updated the tomcat configuration with sahsanu’s advice downthread.

1 Like