tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Using existing LetsEncrypt certs with tomcat
Date Thu, 04 Jan 2018 15:33:07 GMT
Hash: SHA256


On 1/4/18 12:50 AM, Paul Beard wrote:
>> On Jan 3, 2018, at 11:33 AM, Christopher Schultz
>> <> wrote:
>> In there, I detail how to put everything together. There is a
>> script that builds a Java keystore that Tomcat can use. That
>> script demonstrates how to take an existing
>> key+certificate+chain, convert it into a Java keystore and then
>> make it active. The script actually requests a renewal of the
>> certificate from Let's Encrypt (which may say "no renewal
>> required") and then only re-builds the keystore if the key/cert
>> have actually changed.
> This looks great but I suspect my problems are more basic, like
> getting *any* cert to be honored, even a self-signed one.

Were you able to get Let's Encrypt to generate a key and LE-signed
certificate? If not, that's obviously the first step. You don't need
TLS working in order to get an LE-signed certificate. Slide #20 has
the command you need to run in order to get an initial certificate.
Slides 16-19 cover the iptables routing required to allow LE to
connect over port 80/443 when Tomcat is binding to port 8080/8443.

> This step — <Connector port=”8443” keystoreFile=”conf/keystore.jks”
> ... /> — eludes me. I added that to an existing Connector stanza
> but I am seeing these errors which suggests (?) I did that wrong:
> SEVERE: Failed to initialize end point associated with
> ProtocolHandler ["http-bio-8443"] Keystore was
> tampered with, or password was incorrect

Slides 21 - 24 cover my investigation for how to replace Tomcat's
keystore while it's running in a safe-ish way. The presentation was a
bit of an explanation for how I was able to ultimately build the final
script. You don't have do perform every step in the presentation.

What you really want to do is look at slide #28 which has the overview
of the process *after* you have the first cert from LE. So, assuming
you have it, you can basically use my script directly.

> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11Protocol" 
> keystoreFile="conf/keystore.jks"  keystorePass="qwerty" 
> maxThreads="150" SSLEnabled="true" scheme="https" secure="true" 
> clientAuth="false" sslProtocol="TLS" />

I'd recommend that you use NIO. I'd also recommend that you upgrade
from Tomcat 7.0.x to Tomcat 8.5.x if possible. It already handled
dynamic reloading of TLS configuration so you won't need any (albeit
short) unavailability of your Tomcat instance.

> But that seems outside the scope of what I was asking. I’ll take
> another look tomorrow…took entirely too long to get the symlink
> step to word as expected. Had to change to the conf directory for
> it to work. Too late in the day for this to make any sense.


> Thanks for the presentation. I’m sure it will make sense to me
> eventually.

Mark pointed to the Tomcat "presentations" page where you can find a
link to this LE/Tomcat presentation as well as the audio my
presentation of these slides at ApacheCon in Miami last year. Perhaps
the audio will give you more information than is actually contained in
the slides.

Hope that helps,
- -chris
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message