I used LetsEncrypt that turned out to be very easy to configure with TomCat.
Step 1
Install the
certbot utility and use it generate a certificate. $ sudo certbot certonly
Step 2
Configure TomCat 8+ connectors. This used to be more complex on older TomCat servers with the need to generate a separate keystore. Editing
We also configure SSL connector, using port 443, change to NIO based protocol (the default requires extra native library)
$CATALINA_HOME/confg/server.xml we configure the base connected, redirectPort is changed from 8443 to 443
(and 8080 to 80).
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
We also configure SSL connector, using port 443, change to NIO based protocol (the default requires extra native library)
org.apache.coyote.http2.Http2Protocol, and set the file paths to the .pem files generated by certbot.
<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="/etc/letsencrypt/live/www.simolecule.com/privkey.pem"
certificateFile="/etc/letsencrypt/live/www.simolecule.com/cert.pem"
certificateChainFile="/etc/letsencrypt/live/www.simolecule.com/chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
Step 3 (optional)
If a client tries to visit the HTTP site we want to redirect them to HTTPS. To do this we edit
$CATALINA_HOME/confg/web.xml adding this section to the end of the <web-app> block
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
No comments:
Post a Comment
Note: only a member of this blog may post a comment.