tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Using existing LetsEncrypt certs with tomcat
Date Thu, 04 Jan 2018 15:33:07 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Paul,

On 1/4/18 12:50 AM, Paul Beard wrote:
> 
> 
>> On Jan 3, 2018, at 11:33 AM, Christopher Schultz
>> <chris@christopherschultz.net> wrote:
>> 
>> In there, I detail how to put everything together. There is a
>> script that builds a Java keystore that Tomcat can use. That
>> script demonstrates how to take an existing
>> key+certificate+chain, convert it into a Java keystore and then
>> make it active. The script actually requests a renewal of the
>> certificate from Let's Encrypt (which may say "no renewal
>> required") and then only re-builds the keystore if the key/cert
>> have actually changed.
> 
> This looks great but I suspect my problems are more basic, like
> getting *any* cert to be honored, even a self-signed one.

Were you able to get Let's Encrypt to generate a key and LE-signed
certificate? If not, that's obviously the first step. You don't need
TLS working in order to get an LE-signed certificate. Slide #20 has
the command you need to run in order to get an initial certificate.
Slides 16-19 cover the iptables routing required to allow LE to
connect over port 80/443 when Tomcat is binding to port 8080/8443.

> This step — <Connector port=”8443” keystoreFile=”conf/keystore.jks”
> ... /> — eludes me. I added that to an existing Connector stanza
> but I am seeing these errors which suggests (?) I did that wrong:
> 
> SEVERE: Failed to initialize end point associated with
> ProtocolHandler ["http-bio-8443"] java.io.IOException: Keystore was
> tampered with, or password was incorrect

Slides 21 - 24 cover my investigation for how to replace Tomcat's
keystore while it's running in a safe-ish way. The presentation was a
bit of an explanation for how I was able to ultimately build the final
script. You don't have do perform every step in the presentation.

What you really want to do is look at slide #28 which has the overview
of the process *after* you have the first cert from LE. So, assuming
you have it, you can basically use my script directly.

> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11Protocol" 
> keystoreFile="conf/keystore.jks"  keystorePass="qwerty" 
> maxThreads="150" SSLEnabled="true" scheme="https" secure="true" 
> clientAuth="false" sslProtocol="TLS" />

I'd recommend that you use NIO. I'd also recommend that you upgrade
from Tomcat 7.0.x to Tomcat 8.5.x if possible. It already handled
dynamic reloading of TLS configuration so you won't need any (albeit
short) unavailability of your Tomcat instance.

> But that seems outside the scope of what I was asking. I’ll take
> another look tomorrow…took entirely too long to get the symlink
> step to word as expected. Had to change to the conf directory for
> it to work. Too late in the day for this to make any sense.

:)

> Thanks for the presentation. I’m sure it will make sense to me
> eventually.

Mark pointed to the Tomcat "presentations" page where you can find a
link to this LE/Tomcat presentation as well as the audio my
presentation of these slides at ApacheCon in Miami last year. Perhaps
the audio will give you more information than is actually contained in
the slides.

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpOSTIdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgqjBAAyHiPpPlRwEUbfGoq
NlPv7icn4y9IrZTQfiCh4kZYP9KeloA9A9Eqi0+NaifApTrnsi6QdS3Ry1ttX9Yg
gX7MWD18smBmZvG4BwQY3KXzb+mOZHuJx+3QKrbFBNw++vOS332igyw26pymMEVd
vxmYAnf3m3BddMYL3+Gv4QEPbv9LE9vU3b41xxYQ//Pdf4yhkoMTssX2QpSn6Bt2
CL3RGB5lcckIsCUaTS75z/7YHjollodYrOBWc87BruiBg6Wxpq0B6qXmWGuMEI9Q
Di8rm+sM+E8OJgkQKH9TNtepENVcindw36G+C2mjOhg6Ss+talhs4xOxCBuwoJyM
m0I3A/7kmk+Zenmm5EVxOT93aZ5N76lElTNzDgxn4gQ+8uQbROoYDHNTzYxJ2E01
HDLmDR9SCnhaSiK5kHH90/JYvXvnOZNXYfTpvTjUGIx1tYRr+VJl9uDFFw2XWz2Q
iJQS/TPR88SPxrmjvnzk/DFQ/AEPxDRrpiCJurIlD+msHeDLHXkt8Ph5zXkXdCJX
n2kDkd7cOc0Q8b1Pr0j4/IhxeHkxy8tipXNsQraDOc9xdndPYDlJY1X5uh6rKs2G
te6tNdYOfP7PB5W+bdDbt0AqQVjLb+IUhFXwUWDAo+q/QWQEiyaXXaU3mEB6Tctv
95WdGIZUyK4cUVDqvnIrNURAfRs=
=2lUy
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message