How to Use Let’s Encrypt with Apache Tomcat for Https Support in Java Applications

Implementing HTTPS in your Java applications hosted on Apache Tomcat enhances security by encrypting data transmitted between the server and clients. Using Let’s Encrypt provides a free and automated way to obtain SSL/TLS certificates, making it accessible for developers and organizations of all sizes. This guide explains how to set up Let’s Encrypt with Apache Tomcat to enable HTTPS support.

Prerequisites

• A server running Apache Tomcat (version 9 or later recommended)
• Root or sudo access to the server
• Domain name pointing to your server's IP address
• Certbot installed for obtaining Let’s Encrypt certificates

Installing Certbot and Obtaining a Certificate

First, install Certbot on your server. For Ubuntu, use:

sudo apt update && sudo apt install certbot

Next, obtain a certificate for your domain:

sudo certbot certonly --standalone -d yourdomain.com

This command will generate the certificate files typically stored in /etc/letsencrypt/live/yourdomain.com/.

Configuring Tomcat for SSL

Locate your Tomcat's server.xml file, usually in conf directory. Backup the file before editing.

Add or modify the Connector element to include SSL configuration:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           keystoreFile="/path/to/keystore.p12" keystoreType="PKCS12"
           keystorePass="your-keystore-password" clientAuth="false" sslProtocol="TLS" />

Creating a PKCS12 Keystore

Convert the Let’s Encrypt certificates to a PKCS12 keystore:

openssl pkcs12 -export -in /etc/letsencrypt/live/yourdomain.com/fullchain.pem -inkey /etc/letsencrypt/live/yourdomain.com/privkey.pem -out /path/to/keystore.p12 -name tomcat -password pass:your-keystore-password

Restarting Tomcat and Testing

After configuring the server.xml and creating the keystore, restart Tomcat:

sudo systemctl restart tomcat

Open your browser and navigate to https://yourdomain.com:8443. You should see a secure connection indicated by a padlock icon.

Renewing Certificates

Let’s Encrypt certificates are valid for 90 days. Set up a cron job to automatically renew them:

sudo certbot renew --post-hook "systemctl restart tomcat"

This command renews the certificate and restarts Tomcat to apply the new certificates automatically.