skip to Main Content

On same machine is running Apache on port 80 and Tomcat on port 8080.

Apache include html;css;js; files and make calls to tomcat services.

Basically exampledomain.com calls exampledomain.com:8080 to receive data.

Now i upgraded the protocol from http to https using Let’s Encrypt certbot to generate the certificate, this certificate will be updated every 3 months by certbot. Apache is running fine on port 443 but Tomcat still use port 8080, i can use same certificate to run tomcat on port 8443 but.. for doing this the certificate needs to be converted to Java Keystore.

My question is, if i will convert the certificate it will expire after 3 month and i need to convert the new generated certificate by certbot to Java Keystore again ?

2

Answers


  1. Chosen as BEST ANSWER

    Yes, you have to convert the certificate every time it expires.

    Tomcat accept .jks and .pfx certificates and you can make it easy to autoconvert everytime certbot generates new certificate by writing a script and make it run with certbot renewal-hooks.

    Script:

    #!/bin/bash
    # Adjust these variables as necessary
    
    # Where you want to final PKCS12 file to be stored.
    CERT_PATH="/opt/app/certificate.pfx"
    
    # Password to encrypt the PKCS12 file.
    CERT_PW="ShoobyDooby"
    
    # Path to LE files, RENEWED_LINEAGE provided by CertBot
    PRIV_KEY_PEM="$RENEWED_LINEAGE/privkey.pem"
    CERT_PEM="$RENEWED_LINEAGE/cert.pem"
    CHAIN_PEM="$RENEWED_LINEAGE/chain.pem"
    
    # If there's already a .pfx file, back it up
    if [[ -f "$CERT_PATH" ]]; then
        now=`date +%Y-%m-%d-%T`
        mv $CERT_PATH $CERT_PATH.bak.$now
    fi
    
    # Le Conversion
    openssl pkcs12 -export -out $CERT_PATH -inkey $PRIV_KEY_PEM -in $CERT_PEM -certfile $CHAIN_PEM -password pass:$CERT_PW
    

    Place this script in /etc/letsencrypt/renewal-hooks/deploy/auto_pfx.sh
    Don't forget to chmod! If the script isn't executable, it's ignored.

    Automatic PKCS12 Conversion for Let's Encrypt Certificates


  2. The answer is yes and no:

    • yes, if you want to keep your certificate in PKCS12 or JKS format, you’ll have to convert it after every renewal, like in your answer,

    • no, converting to PKCS12 is not necessary on any supported version of Tomcat, except 7.0 (which reaches end-of-life in two months anyway). Tomcat 8.5, 9.0 and the upcoming 10.0 have no problem reading PEM-encoded certificates, just configure it like this:

    <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               SSLEnabled="true">
      <SSLHostConfig>
        <Certificate certificateKeyFile="/etc/letsencrypt/live/example.org/privkey.pem"
                     certificateFile="/etc/letsencrypt/live/example.org/cert.pem"
                     certificateChainFile="/etc/letsencrypt/live/example.org/chain.pem"
                     type="RSA" />
      </SSLHostConfig>
    </Connector>
    

    This works on all three types of connector (NIO, NIO2 and APR). On the other hand the APR connector never supported PKCS12 and JKS keystores.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search