Apache Tomcat is a web server and servlet container that is used to serve Java applications. Tomcat is an open source implementation of the Java Servlet and JavaServer Pages technologies, released by the Apache Software Foundation.

Configure Tomcat Server to use Letsencrypt

This is a documentation of lessons learned from deploying ODKAggregate tomcat application and Letsencrypt SSL certificate.

The setup was based on CentOS 7 server and Tomcat 7.0.69

Tomcat installation

sudo yum -y install epel-release
sudo yum -y install tomcat tomcat-docs-webapp tomcat-javadoc tomcat-webapps tomcat-admin-webapps

Configure JAVA PATH

sudo yum install java-1.8.0-openjdk java-1.8.0-openjdk-devel
sudo update-alternatives --config java
sudo update-alternatives --config javac

$ ls -l  /usr/lib/jvm

sudo tee -a /etc/bashrc<<EOF
export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk
export PATH=$JAVA_HOME/bin:$PATH
EOF

$ source /etc/bashrc
$ echo $JAVA_HOME
$ java -version

Tomcat JAVA options file is /etc/tomcat/tomcat.conf, example config:

JAVA_OPTS="-Xms1024m -Xmx7328m -XX:MaxPermSize=5898m -XX:+CMSClassUnloadingEnabled -XX:+CMSPermGenSweepingEnabled"

If you would like to add admin user to manage Tomcat with GUI, this is done on file /usr/share/tomcat/conf/tomcat-users.xml under section:

<tomcat-users>
...
</tomcat-users>

Example:

<tomcat-users>
    <user username="admin" password="password" roles="manager-gui,admin-gui"/>
</tomcat-users>

Installing Letsencrypt

wget https://dl.eff.org/certbot-auto -P /usr/local/bin
chmod a+x /usr/local/bin/certbot-auto

Request Letsencrypt ssl certificate for domain

firewall-cmd --add-service https --permanent
firewall-cmd --reload
certbot-auto certonly -d odk2.domain.com

SSL contents will be located under /etc/letsencrypt/live/odk2.domain.com/

create a PKCS12 that contains both your full chain and the private key

openssl pkcs12 -export -out /tmp/odk2.domain.com_fullchain_and_key.p12 \
    -in /etc/letsencrypt/live/odk2.domain.com/fullchain.pem \
    -inkey /etc/letsencrypt/live/odk2.domain.com/privkey.pem \
    -name tomcat

Convert that PKCS12 to a JKS

keytool -importkeystore \
    -deststorepass ughubieVahfaej5 -destkeypass ughubieVahfaej5 -destkeystore odk2.domain.com.jks \
    -srckeystore odk2.domain.com_fullchain_and_key.p12  -srcstoretype PKCS12 -srcstorepass ughubieVahfaej5 \
    -alias tomcat

Replace ughubieVahfaej5 with your password

Configure tomcat server

# vim /etc/tomcat/server.xml

Ensure the following section is commented out

  <!---
    <Connector port="8080" protocol="HTTP/1.1"
            connectionTimeout="20000"
            redirectPort="8443" />
    -->

Configure connector to use a shared thread pool

 <Connector executor="tomcatThreadPool"
            port="8080" protocol="HTTP/1.1"
            connectionTimeout="20000"
            redirectPort="8443" />

Next is to define SSL HTTP/1.1 Connector on port 8443

 <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
            maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
            keystoreFile="/etc/ssl/odk2.domain.com.jks"
            keystorePass="ughubieVahfaej5"
            clientAuth="false" sslProtocol="TLS" />

With above configuration, http to https redirect will be done automatically for the application, which can be accessed at:

http://server_IP_address:8080

Manager App

http://server_IP_address:8080/manager/html

Bash script to Auto renew with a cron job

It can be good to set the renewal to be automated using Linux cron jobs. For this take a look at:

Bash Script to Auto-renew Letsencrypt SSL certificate on Tomcat