How to Implement SSL in Apache Tomcat in Centos Linux :
Tomcat Pre-Installation :
https://www.tecmint.com/install-apache-tomcat-in-centos/
useradd nt
passwd nt
password : aDMIN123
yum install java-1.8.0-openjdk-devel #install JDK 8
java -version
cd /usr/local
yum install wget
wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.39/bin/apache-tomcat-9.0.39.tar.gz
tar -xvf apache-tomcat-9.0.39.tar.gz
mv apache-tomcat-9.0.39 tomcat
echo "export CATALINA_HOME="/usr/local/tomcat"" >> ~/.bashrc
source ~/.bashrc
Now we all set to start the tomcat web server using the scripts provided by the tomcat package.
cd /usr/local/tomcat/bin
./startup.sh
cd /usr/local/tomcat/bin
./shutdown.sh
sudo firewall-cmd --zone=public --add-service=http
firewall-cmd --zone=public --add-port=8080/tcp
http://192.168.1.100:8080
cd /usr/local/tomcat/bin
./shutdown.sh
-------------------------------------------------------------------------------------------------------------------------------
1 - Make sure the ports 80 (http) and 443 (https) are open to the world :
firewall-cmd --zone=public --add-port=80/tcp
firewall-cmd --zone=public --add-port=443/tcp
2 - Install these: (bms-erp.online is the domain pointed to vultr.com)
sudo yum install epel-release
sudo yum install certbot
certbot certonly --standalone -d bms-erp.online
The following will show :
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/bms-erp.online-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/bms-erp.online-0001/privkey.pem
Your certificate will expire on 2022-10-07. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
3 - View the certificates generated:
ls /etc/letsencrypt/live/bms-erp.online
ls -l /usr/local/tomcat
4 - Copy the pem files:
cd /etc/letsencrypt/live/bms-erp.online
cp cert.pem /usr/local/tomcat/conf
cp chain.pem /usr/local/tomcat/conf
cp privkey.pem /usr/local/tomcat/conf
5 - Permission is must:
cd /usr/local/tomcat/conf
chown nt:nt *.pem
cd /etc/letsencrypt/live/bms-erp.online
chown nt:nt *.pem
6 - View the files :
ls -l /usr/local/tomcat/conf
7 - Edit the server.xml file :
cd /usr/local/tomcat/conf
vi server.xml
Add these lines :
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateFile="conf/cert.pem"
certificateKeyFile="conf/privkey.pem"
certificateChainFile="conf/chain.pem" />
</SSLHostConfig>
</Connector>
after:
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
8 - Give Password :
vi /usr/local/tomcat/conf/tomcat-users.xml
9 - Start tomcat :
cd /usr/local/tomcat/bin
./startup.sh
10 - It may be necessary to restart tomcat :
cd /usr/local/tomcat/bin
./shutdown.sh
./startup.sh
Simple SSL renew Process to follow after each quarter (90 days) :
Renew the certboot :
certbot renew
Go to the folder of letsencrypt live folder where configuration files are :
cd /etc/letsencrypt/live/bms-erp.online
Copy the files to tomcat conf file:
cp cert.pem /usr/local/tomcat/conf
cp chain.pem /usr/local/tomcat/conf
cp privkey.pem /usr/local/tomcat/conf
Tomcat Restart :
cd /usr/local/tomcat/bin
./shutdown.sh
./startup.sh
