On same machine is running Apache on port 80 and Tomcat on port 8080.
Apache include html;css;js; files and make calls to tomcat services.
Basically exampledomain.com calls exampledomain.com:8080 to receive data.
Now i upgraded the protocol from http to https using Let’s Encrypt certbot to generate the certificate, this certificate will be updated every 3 months by certbot. Apache is running fine on port 443 but Tomcat still use port 8080, i can use same certificate to run tomcat on port 8443 but.. for doing this the certificate needs to be converted to Java Keystore.
My question is, if i will convert the certificate it will expire after 3 month and i need to convert the new generated certificate by certbot to Java Keystore again ?
2
Answers
Yes, you have to convert the certificate every time it expires.
Tomcat accept .jks and .pfx certificates and you can make it easy to autoconvert everytime certbot generates new certificate by writing a script and make it run with certbot renewal-hooks.
Script:
Place this script in /etc/letsencrypt/renewal-hooks/deploy/auto_pfx.sh
Don't forget to
chmod!
If the script isn't executable, it's ignored.Automatic PKCS12 Conversion for Let's Encrypt Certificates
The answer is yes and no:
yes, if you want to keep your certificate in PKCS12 or JKS format, you’ll have to convert it after every renewal, like in your answer,
no, converting to PKCS12 is not necessary on any supported version of Tomcat, except 7.0 (which reaches end-of-life in two months anyway). Tomcat 8.5, 9.0 and the upcoming 10.0 have no problem reading PEM-encoded certificates, just configure it like this:
This works on all three types of connector (NIO, NIO2 and APR). On the other hand the APR connector never supported PKCS12 and JKS keystores.