tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tutorial: Configure Tomcat with HTTPS/SSL on Ubuntu 16.04 LTS (Xenial) using Letsencrypt
Date Tue, 04 Oct 2016 21:19:00 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mladen,

On 9/30/16 10:34 AM, Mladen Adamović wrote:
> Hi all,
> 
> I'm running 3 servers with Tomcat (migrated from Glassfish which is
> not maintained well imo). But documentation is kind of not the best
> for configuring HTTPS/SSL.
> 
> I've written my own tutorial how to do that using Letsencrypt and
> Tomcat native: 
> https://mladenadamovic.wordpress.com/2016/09/06/configure-tomcat-with-
ssl-on-ubuntu-minimal/
>
>  As you can notice from the tutorial: - I'm running 8.5.5 from
> website (not prepackaged with comes with Ubuntu) - run Tomcat as
> non-root user and do ip tables forwarding because of that -
> implemented my own ACME support for Letsencrypt (it's easy)
> 
> I'm using it for my own purposes, but if people have suggestions to
> improve it, I'd be happy to consider it.
> 
> I hope it will be useful to other people as well.

Thanks for doing this guide. I'm mostly interested in the Let's
Encrypt part, because everything else is very straightforward IMO. I
have some comments about the LE stuff.

First, this is a bad idea:

chmod o+rx /etc/letsencrypt
chmod o+rx /etc/letsencrypt/archive
chmod o+rx /etc/letsencrypt/archive/online-utility.org
chmod o+rx /etc/letsencrypt/live

That gives world-readable access to your server's private keys. There
are better ways to allow the Tomcat user to read these certificates.
For example, on my server, the /etc/letsencrypt/archive directory and
contents are group-owned by a group called "ssl-cert". It's better to
add the Tomcat user to the ssl-cert group than to open the certs and
keys to the whole world.

Second, the ACME servlet doesn't need to be mounted on /* -- you can
just as easily mount it on /.well-known/acme/*. Better yet, just
configure the <Context> to contain some <PreResources> that mounts a
special directory
(/tmp/letsencrypt/public_html/.well-known/acme-challenge/ in your
example) into the URL space of the application. Less code = less
opportunities for errors.

Better even still, package a web application called ".well-known" with
the complete configuration necessary. Then all that is required is to
drop the WAR file into Tomcat's auto-deploy directory
(CATALINA_HOME/webapps) and allow LE to authentication your control
over the server.

Third, I haven't spent much time with LE yet, but I believe you can
simply "renew" your cert instead of requesting a new one:

$ /path/to/certbot renew

This will perform the steps for renewal that were originally oser to
obtain the certificate. So, I believe, if you used the "certonly"
plugin, then it will again only use the "certonly" plugin. Similarly,
if you use the "webroot" plugin, it will be used again. For Tomcat,
you might have to adjust the caching configuration to get it to work
properly.

I for one am interested in getting official support for Tomcat into
the command-line tools for Let's Encrypt. I tried to understand how
certbot works, but it's clear that I'd need a curated guide to
building a new plug-in for Tomcat. When I have some time (ha ha), I'll
reach-out to the LE folks to see what it would take.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJX9BzDAAoJEBzwKT+lPKRYbzUP/1ig3YzkHtomMXSWKBKzB8Bm
Awmw4cip3WmbOif0psALGGOpMWMBNtiHNgJjzB+uZRLIB0f/czw26BR+hhK4wVnS
gyduMklYZk3V16ukcPGVaf7Cw8JEJVpvXyTr4mOMrPULUatAla/yfbN3mR/cuyee
M+p/AiKjm1OOtLlrokKKpfTKrWqYSs9I6+aPOAD67gkPyz8AA+CkvzvbPqBosfHi
vScx4eUFVKkshjyWhE6NOmQn2zrSiK9t5K+Zl0UyKZxzu6DmbF+3UmDuNxcZ3LlU
h4va4xkNxzBzuaJ4y50eS4IrhfiVR6fq+ESdkzCkvzFCyU/s1pESxFKOVdVLV1Fe
9v1N6KAVYzuOOuZ7R7kaNFZ30sbDRK1WdZek+NaCtGro828Ql+D18xIdZ6px/JVY
HVsjdoNDvG/XsVqEDuAYvMd6FBuz/X7NWk+z56bSqrkcKw/caP/masyyIo6D6I91
KpWcc/bQl1L6Y+xTeH8y2L03DFfLxQyTCZKEdJpG34P5JWr3bLvUJK5mZGA/pJAL
9r/GShgwRizpdJY681tlJ5ikS7Mnp/oSbbeaw+fOBeb3vBnuEIuS4SgTSAiQsytx
BDG0293yaMvfuQv0hH0/+6eM/7sPtX9OUX14wwBxrcGTjMhYG1szNxuhAYhUx7vI
7evywPDYtUiB8EK59s4E
=rk6+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message