How to Implement SSL in Apache Tomcat in Centos Linux with Auto Renewal

How to Implement SSL in Apache Tomcat in Centos Linux :

Tomcat Pre-Installation :

https://www.tecmint.com/install-apache-tomcat-in-centos/

useradd nt
passwd nt

password : aDMIN123

yum install java-1.8.0-openjdk-devel      #install JDK 8
java -version
cd /usr/local
yum install wget
wget  https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.39/bin/apache-tomcat-9.0.39.tar.gz
tar -xvf apache-tomcat-9.0.39.tar.gz
mv apache-tomcat-9.0.39 tomcat

echo "export CATALINA_HOME="/usr/local/tomcat"" >> ~/.bashrc
source ~/.bashrc

Now we all set to start the tomcat web server using the scripts provided by the tomcat package.

cd /usr/local/tomcat/bin
./startup.sh

cd /usr/local/tomcat/bin
./shutdown.sh

sudo firewall-cmd --zone=public --add-service=http
firewall-cmd --zone=public --add-port=8080/tcp

http://192.168.1.100:8080

cd /usr/local/tomcat/bin
./shutdown.sh

-------------------------------------------------------------------------------------------------------------------------------

1 - Make sure the ports 80 (http) and 443 (https) are open to the world :

firewall-cmd --zone=public --add-port=80/tcp
firewall-cmd --zone=public --add-port=443/tcp

2 - Install these: (bms-erp.online is the domain pointed to vultr.com)

sudo yum install epel-release
sudo yum install certbot
certbot certonly --standalone -d bms-erp.online

The following will show :

IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:

/etc/letsencrypt/live/bms-erp.online-0001/fullchain.pem
   
Your key file has been saved at:
   /etc/letsencrypt/live/bms-erp.online-0001/privkey.pem

Your certificate will expire on 2022-10-07. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"

3 - View the certificates generated:
ls /etc/letsencrypt/live/bms-erp.online
ls -l /usr/local/tomcat

4 - Copy the pem files:


cd /etc/letsencrypt/live/bms-erp.online
cp cert.pem /usr/local/tomcat/conf
cp chain.pem /usr/local/tomcat/conf
cp privkey.pem /usr/local/tomcat/conf

5 - Permission is must:


cd /usr/local/tomcat/conf
chown nt:nt *.pem

cd /etc/letsencrypt/live/bms-erp.online
chown nt:nt *.pem

6 - View the files :

ls -l /usr/local/tomcat/conf

7 - Edit the server.xml file :

cd /usr/local/tomcat/conf

vi server.xml

Add these lines :

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
  <SSLHostConfig>
    <Certificate certificateFile="conf/cert.pem"
                 certificateKeyFile="conf/privkey.pem"
                 certificateChainFile="conf/chain.pem" />
  </SSLHostConfig>
</Connector>

after:

 <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                         certificateFile="conf/localhost-rsa-cert.pem"
                         certificateChainFile="conf/localhost-rsa-chain.pem"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
    -->

8 - Give Password :


vi /usr/local/tomcat/conf/tomcat-users.xml

9 - Start tomcat :

cd /usr/local/tomcat/bin

./startup.sh

10 - It may be necessary to restart tomcat :

cd /usr/local/tomcat/bin

./shutdown.sh
./startup.sh

Simple SSL renew Process to follow after each quarter (90 days) :

Renew the certboot :

certbot renew

Go to the folder of letsencrypt live folder where configuration files are :

cd /etc/letsencrypt/live/bms-erp.online

Copy the  files to tomcat conf file:

cp cert.pem /usr/local/tomcat/conf
cp chain.pem /usr/local/tomcat/conf
cp privkey.pem /usr/local/tomcat/conf

Tomcat Restart :

cd /usr/local/tomcat/bin

./shutdown.sh
./startup.sh


Auto Renewal :


How to Automate Let’s Encrypt SSL Renewal for Apache Tomcat on Linux

SSL certificates issued by Let’s Encrypt are valid for 90 days. To avoid unexpected expiration and downtime, it is best to automate the renewal process.

In this guide, we’ll configure automatic SSL renewal for a Tomcat server running on Linux.


Step 1: Check the Current SSL Certificate

To verify the SSL certificate currently served by your website:

echo | openssl s_client -connect talentpos.xyz:443 -servername talentpos.xyz 2>/dev/null | openssl x509 -noout -dates \
| while IFS='=' read label date; do
    echo "$label=$(TZ=Asia/Dhaka date -d "$date" '+%Y-%m-%d %I:%M:%S %p %Z')"
done

Example output:

notBefore=2026-07-12 12:44:21 PM +06
notAfter=2026-10-10 01:19:31 PM +06


Step 2: Create the SSL Renewal Script

Create the renewal script.

vi /usr/local/bin/renew_ssl.sh

Paste the following script.

#!/bin/bash

# ==============================================
# Force Renew Let's Encrypt SSL for Tomcat
# Domain: talentpos.xyz
# ==============================================

DOMAIN="talentpos.xyz"
LE_DIR="/etc/letsencrypt/live/$DOMAIN"
TOMCAT_CONF="/usr/local/tomcat/conf"
LOGFILE="/var/log/ssl-renew.log"

echo "==========================================" >> "$LOGFILE"
echo "Started : $(date)" >> "$LOGFILE"

echo "Stopping Tomcat..." >> "$LOGFILE"
/usr/local/tomcat/bin/shutdown.sh >> "$LOGFILE" 2>&1

sleep 10

echo "Force renewing SSL certificate..." >> "$LOGFILE"
/usr/bin/certbot renew --force-renewal >> "$LOGFILE" 2>&1

if [ $? -eq 0 ]; then
    echo "Renewal successful." >> "$LOGFILE"

    cp -f "$LE_DIR/cert.pem" "$TOMCAT_CONF/"
    cp -f "$LE_DIR/chain.pem" "$TOMCAT_CONF/"
    cp -f "$LE_DIR/privkey.pem" "$TOMCAT_CONF/"

    echo "Certificates copied." >> "$LOGFILE"
else
    echo "Renewal failed. Existing certificates retained." >> "$LOGFILE"
fi

echo "Starting Tomcat..." >> "$LOGFILE"
/usr/local/tomcat/bin/startup.sh >> "$LOGFILE" 2>&1

echo "Finished : $(date)" >> "$LOGFILE"
echo "" >> "$LOGFILE"

Save the file and make it executable.

chmod +x /usr/local/bin/renew_ssl.sh


Step 3: Test the Script

Run the script manually.

/usr/local/bin/renew_ssl.sh

After completion, verify the SSL certificate again.

echo | openssl s_client -connect talentpos.xyz:443 -servername talentpos.xyz 2>/dev/null | openssl x509 -noout -dates \
| while IFS='=' read label date; do
    echo "$label=$(TZ=Asia/Dhaka date -d "$date" '+%Y-%m-%d %I:%M:%S %p %Z')"
done

If the renewal is successful, the notBefore and notAfter values will be updated.


Step 4: Configure Automatic Renewal with Cron

Open the root user’s crontab.

crontab -e

Run Every Day at 3:30 AM

30 3 * * * /usr/local/bin/renew_ssl.sh

Run Every Day at 2:10 PM

10 14 * * * /usr/local/bin/renew_ssl.sh

Run on the 21st of Every Month at 3:30 AM

30 3 21 * * /usr/local/bin/renew_ssl.sh

Save the file.

If using vi:

1.     Press Esc

2.     Type

:wq

3.     Press Enter

Verify the cron configuration.

crontab -l


Step 5: Ensure Cron Service is Running

Check the cron service.

systemctl status crond

If it is not running:

systemctl enable crond
systemctl start crond


Step 6: Verify the Renewal Logs

Review the cron execution log.

tail -100 /var/log/renew_ssl_cron.log

Review the renewal log.

tail -100 /var/log/ssl-renew.log


Step 7: Check the Certificate Expiry Date

To display only the expiry date in Bangladesh time:

TZ=Asia/Dhaka date -d "$(openssl x509 -in /etc/letsencrypt/live/talentpos.xyz/cert.pem -noout -enddate | cut -d= -f2)"

Example:

Sat Oct 10 13:19:31 +06 2026


Important Note About Let’s Encrypt Rate Limits

This guide uses:

certbot renew --force-renewal

This command always requests a new certificate, even if the existing certificate is still valid.

Let’s Encrypt limits certificate issuance to 5 certificates for the same set of domain names within a rolling 7-day period. If this limit is exceeded, renewal will fail with a rate-limit error.

For production environments, it is generally recommended to use:

certbot renew

without the --force-renewal option, allowing Certbot to renew certificates only when they are eligible for renewal.


Conclusion

By combining Certbot, OpenSSL, Cron, and Tomcat, you can automate SSL certificate management with minimal manual effort. A scheduled renewal process helps prevent certificate expiration, reduces administrative overhead, and ensures your web applications continue to serve secure HTTPS connections reliably.



Muhammad Abdullah Al Noor

Muhammad Abdullah Al Noor, An Oracle Apex Consultants and founder of Noors Technology (www.noorstech.com). Core Expertise : Database Administration, Oracle Forms and Reports Development, Oracle Apex Application Designer and Development, Linux Professional etc. Also the owner of TrainerBD Training and OraDemy E-Learning. WhatsApp +8801790721177

Post a Comment

Previous Post Next Post