Hi James,
Am 2019-12-27 05:31, schrieb Igal Sapir:
James,
On Thu, Dec 26, 2019 at 4:49 PM James H. H. Lampert <
jam...@touchtonecorp.com> wrote:
We have a Tomcat (8.5.40) server running on an Amazon EC2 instance,
currently using a Java Keystore for the SSL support.
We would like to be able to use Let's Encrypt, but I've learned that
Let's Encrypt and Tomcat don't get along all that well together. The
best I've found so far are article at:
<
https://medium.com/@raupach/how-to-install-lets-encrypt-with-tomcat-3db8a469e3d2
>
and this thread in the Let's Encrypt community forum:
<
https://community.letsencrypt.org/t/how-can-i-automate-renewals-with-tomcat/81423
>
Does anybody here have any experience with situations like this? Does
anybody here have any suggestions? Or, as another alternative, does
anybody here know of some Amazon AWS product that could front-end a
single-box, non-load-balanced Tomcat server, and use Amazon's free
"Public Certificates"? (I've already posted that last to the relevant
Amazon forum.)
You should check out Chris' presentations on the topic. He outlines a
very
efficient process. There is probably more materials out there, but a
quick
search brings up the video [1] and slides [2] from his presentation at
ApacheCon earlier this year, as well as his shell script for automating
the
process.
Igal
[1] https://www.youtube.com/watch?v=BWUjvmJgSeE
[2]
<https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Encrypt%20Apache%20Tomcat.pdf>
https://people.apache.org/~schultz/ApacheCon%20NA%202019/Let's%20Encrypt%20Apache%20Tomcat.pdf
[3]
https://people.apache.org/~schultz/ApacheCon%20NA%202019/lets-encrypt-renew.sh
+1
Currently the script is broken, as there is a bug in the JMX
implementation of Tomcat 8.5 that is fixed from 8.5.51.
Once that is released it is really easy to automate the letsencrypt acme
process with [3].
Tomcat 8.5 brings a new way to configure certificates [4]. You can use
pem encoded certs even in the JSSE implementation.
So you can just save/copy the certs from LE to your certificate
directory (in my case ${catalina.base}/conf/ssl):
<Certificate
certificateKeyFile="${catalina.base}/conf/ssl/privkey.pem"
certificateFile="${catalina.base}/conf/ssl/cert.pem"
certificateChainFile="${catalina.base}/conf/ssl/chain.pem"
type="RSA" />
After certbot has finished, reload the SSL config for the updated Host
through the jmxproxy and you are done.
Hope that helps.
Peter
[4]
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_SSLHostConfig
James H. H. Lampert
Touchtone Corporation
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
