How to Implement SSL in Apache Tomcat in Centos Linux :
Tomcat Pre-Installation :
https://www.tecmint.com/install-apache-tomcat-in-centos/
useradd nt
passwd nt
password : aDMIN123
yum install java-1.8.0-openjdk-devel #install JDK 8
java -version
cd /usr/local
yum install wget
wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.39/bin/apache-tomcat-9.0.39.tar.gz
tar -xvf apache-tomcat-9.0.39.tar.gz
mv apache-tomcat-9.0.39 tomcat
echo "export CATALINA_HOME="/usr/local/tomcat"" >> ~/.bashrc
source ~/.bashrc
Now we all set to start the tomcat web server using the scripts provided by the tomcat package.
cd /usr/local/tomcat/bin
./startup.sh
cd /usr/local/tomcat/bin
./shutdown.sh
sudo firewall-cmd --zone=public --add-service=http
firewall-cmd --zone=public --add-port=8080/tcp
http://192.168.1.100:8080
cd /usr/local/tomcat/bin
./shutdown.sh
-------------------------------------------------------------------------------------------------------------------------------
1 - Make sure the ports 80 (http) and 443 (https) are open to the world :
firewall-cmd --zone=public --add-port=80/tcp
firewall-cmd --zone=public --add-port=443/tcp
2 - Install these: (bms-erp.online is the domain pointed to vultr.com)
sudo yum install epel-release
sudo yum install certbot
certbot certonly --standalone -d bms-erp.online
The following will show :
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/bms-erp.online-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/bms-erp.online-0001/privkey.pem
Your certificate will expire on 2022-10-07. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
3 - View the certificates generated:
ls /etc/letsencrypt/live/bms-erp.online
ls -l /usr/local/tomcat
4 - Copy the pem files:
cd /etc/letsencrypt/live/bms-erp.online
cp cert.pem /usr/local/tomcat/conf
cp chain.pem /usr/local/tomcat/conf
cp privkey.pem /usr/local/tomcat/conf
5 - Permission is must:
cd /usr/local/tomcat/conf
chown nt:nt *.pem
cd /etc/letsencrypt/live/bms-erp.online
chown nt:nt *.pem
6 - View the files :
ls -l /usr/local/tomcat/conf
7 - Edit the server.xml file :
cd /usr/local/tomcat/conf
vi server.xml
Add these lines :
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateFile="conf/cert.pem"
certificateKeyFile="conf/privkey.pem"
certificateChainFile="conf/chain.pem" />
</SSLHostConfig>
</Connector>
after:
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
8 - Give Password :
vi /usr/local/tomcat/conf/tomcat-users.xml
9 - Start tomcat :
cd /usr/local/tomcat/bin
./startup.sh
10 - It may be necessary to restart tomcat :
cd /usr/local/tomcat/bin
./shutdown.sh
./startup.sh
Simple SSL renew Process to follow after each quarter (90 days) :
Renew the certboot :
certbot renew
Go to the folder of letsencrypt live folder where configuration files are :
cd /etc/letsencrypt/live/bms-erp.online
Copy the files to tomcat conf file:
cp cert.pem /usr/local/tomcat/conf
cp chain.pem /usr/local/tomcat/conf
cp privkey.pem /usr/local/tomcat/conf
Tomcat Restart :
cd /usr/local/tomcat/bin
./shutdown.sh
./startup.sh
Auto Renewal :
How to Automate Let’s Encrypt SSL Renewal for Apache Tomcat on Linux
SSL
certificates issued by Let’s Encrypt are valid for 90 days. To avoid
unexpected expiration and downtime, it is best to automate the renewal process.
In
this guide, we’ll configure automatic SSL renewal for a Tomcat server running
on Linux.
Step 1: Check the Current SSL Certificate
To
verify the SSL certificate currently served by your website:
echo | openssl s_client -connect talentpos.xyz:443 -servername talentpos.xyz 2>/dev/null | openssl x509 -noout -dates \
| while IFS='=' read label date; do
echo "$label=$(TZ=Asia/Dhaka date -d "$date" '+%Y-%m-%d %I:%M:%S %p %Z')"
done
Example
output:
notBefore=2026-07-12 12:44:21 PM +06
notAfter=2026-10-10 01:19:31 PM +06
Step 2: Create the SSL Renewal Script
Create
the renewal script.
vi /usr/local/bin/renew_ssl.sh
Paste
the following script.
#!/bin/bash
# ==============================================
# Force Renew Let's Encrypt SSL for Tomcat
# Domain: talentpos.xyz
# ==============================================
DOMAIN="talentpos.xyz"
LE_DIR="/etc/letsencrypt/live/$DOMAIN"
TOMCAT_CONF="/usr/local/tomcat/conf"
LOGFILE="/var/log/ssl-renew.log"
echo "==========================================" >> "$LOGFILE"
echo "Started : $(date)" >> "$LOGFILE"
echo "Stopping Tomcat..." >> "$LOGFILE"
/usr/local/tomcat/bin/shutdown.sh >> "$LOGFILE" 2>&1
sleep 10
echo "Force renewing SSL certificate..." >> "$LOGFILE"
/usr/bin/certbot renew --force-renewal >> "$LOGFILE" 2>&1
if [ $? -eq 0
]; then
echo "Renewal successful." >> "$LOGFILE"
cp -f "$LE_DIR/cert.pem" "$TOMCAT_CONF/"
cp -f "$LE_DIR/chain.pem" "$TOMCAT_CONF/"
cp -f "$LE_DIR/privkey.pem" "$TOMCAT_CONF/"
echo "Certificates copied." >> "$LOGFILE"
else
echo "Renewal failed. Existing certificates retained." >> "$LOGFILE"
fi
echo "Starting Tomcat..." >> "$LOGFILE"
/usr/local/tomcat/bin/startup.sh >> "$LOGFILE" 2>&1
echo "Finished : $(date)" >> "$LOGFILE"
echo "" >> "$LOGFILE"
Save
the file and make it executable.
chmod +x
/usr/local/bin/renew_ssl.sh
Step 3: Test the Script
Run
the script manually.
/usr/local/bin/renew_ssl.sh
After
completion, verify the SSL certificate again.
echo | openssl s_client -connect talentpos.xyz:443 -servername talentpos.xyz 2>/dev/null | openssl x509 -noout -dates \
| while IFS='=' read label date; do
echo "$label=$(TZ=Asia/Dhaka date -d "$date" '+%Y-%m-%d %I:%M:%S %p %Z')"
done
If
the renewal is successful, the notBefore and notAfter values will
be updated.
Step 4: Configure Automatic Renewal with Cron
Open
the root user’s crontab.
crontab -e
Run Every Day at 3:30 AM
30 3 * *
* /usr/local/bin/renew_ssl.sh
Run Every Day at 2:10 PM
10 14 * *
* /usr/local/bin/renew_ssl.sh
Run on the 21st of Every Month at
3:30 AM
30 3 21 * * /usr/local/bin/renew_ssl.sh
Save the file.
If using vi:
1.
Press Esc
2.
Type
:wq
3.
Press Enter
Verify the cron
configuration.
crontab -l
Step 5: Ensure Cron Service is Running
Check
the cron service.
systemctl status crond
If
it is not running:
systemctl enable crond
systemctl start crond
Step 6: Verify the Renewal Logs
Review
the cron execution log.
tail -100
/var/log/renew_ssl_cron.log
Review
the renewal log.
tail -100 /var/log/ssl-renew.log
Step 7: Check the Certificate Expiry Date
To
display only the expiry date in Bangladesh time:
TZ=Asia/Dhaka date -d "$(openssl x509 -in /etc/letsencrypt/live/talentpos.xyz/cert.pem -noout -enddate | cut -d= -f2)"
Example:
Sat Oct 10 13:19:31 +06 2026
Important Note About Let’s Encrypt Rate Limits
This
guide uses:
certbot renew --force-renewal
This
command always requests a new certificate, even if the existing
certificate is still valid.
Let’s
Encrypt limits certificate issuance to 5 certificates for the same set of
domain names within a rolling 7-day period. If this limit is exceeded,
renewal will fail with a rate-limit error.
For
production environments, it is generally recommended to use:
certbot renew
without
the --force-renewal
option, allowing Certbot to renew certificates only when they are eligible for
renewal.
Conclusion
By combining Certbot,
OpenSSL, Cron, and Tomcat, you can automate SSL
certificate management with minimal manual effort. A scheduled renewal process
helps prevent certificate expiration, reduces administrative overhead, and
ensures your web applications continue to serve secure HTTPS connections
reliably.
