tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Tutorial: Configure Tomcat with HTTPS/SSL on Ubuntu 16.04 LTS (Xenial) using Letsencrypt
Date Tue, 04 Oct 2016 21:19:00 GMT
Hash: SHA256


On 9/30/16 10:34 AM, Mladen Adamović wrote:
> Hi all,
> I'm running 3 servers with Tomcat (migrated from Glassfish which is
> not maintained well imo). But documentation is kind of not the best
> for configuring HTTPS/SSL.
> I've written my own tutorial how to do that using Letsencrypt and
> Tomcat native: 
>  As you can notice from the tutorial: - I'm running 8.5.5 from
> website (not prepackaged with comes with Ubuntu) - run Tomcat as
> non-root user and do ip tables forwarding because of that -
> implemented my own ACME support for Letsencrypt (it's easy)
> I'm using it for my own purposes, but if people have suggestions to
> improve it, I'd be happy to consider it.
> I hope it will be useful to other people as well.

Thanks for doing this guide. I'm mostly interested in the Let's
Encrypt part, because everything else is very straightforward IMO. I
have some comments about the LE stuff.

First, this is a bad idea:

chmod o+rx /etc/letsencrypt
chmod o+rx /etc/letsencrypt/archive
chmod o+rx /etc/letsencrypt/archive/
chmod o+rx /etc/letsencrypt/live

That gives world-readable access to your server's private keys. There
are better ways to allow the Tomcat user to read these certificates.
For example, on my server, the /etc/letsencrypt/archive directory and
contents are group-owned by a group called "ssl-cert". It's better to
add the Tomcat user to the ssl-cert group than to open the certs and
keys to the whole world.

Second, the ACME servlet doesn't need to be mounted on /* -- you can
just as easily mount it on /.well-known/acme/*. Better yet, just
configure the <Context> to contain some <PreResources> that mounts a
special directory
(/tmp/letsencrypt/public_html/.well-known/acme-challenge/ in your
example) into the URL space of the application. Less code = less
opportunities for errors.

Better even still, package a web application called ".well-known" with
the complete configuration necessary. Then all that is required is to
drop the WAR file into Tomcat's auto-deploy directory
(CATALINA_HOME/webapps) and allow LE to authentication your control
over the server.

Third, I haven't spent much time with LE yet, but I believe you can
simply "renew" your cert instead of requesting a new one:

$ /path/to/certbot renew

This will perform the steps for renewal that were originally oser to
obtain the certificate. So, I believe, if you used the "certonly"
plugin, then it will again only use the "certonly" plugin. Similarly,
if you use the "webroot" plugin, it will be used again. For Tomcat,
you might have to adjust the caching configuration to get it to work

I for one am interested in getting official support for Tomcat into
the command-line tools for Let's Encrypt. I tried to understand how
certbot works, but it's clear that I'd need a curated guide to
building a new plug-in for Tomcat. When I have some time (ha ha), I'll
reach-out to the LE folks to see what it would take.

- -chris
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message