I used LetsEncrypt that turned out to be very easy to configure with TomCat.
Step 1
Install the
certbot
utility and use it generate a certificate. $ sudo certbot certonly
Step 2
Configure TomCat 8+ connectors. This used to be more complex on older TomCat servers with the need to generate a separate keystore. Editing
We also configure SSL connector, using port 443, change to NIO based protocol (the default requires extra native library)
$CATALINA_HOME/confg/server.xml
we configure the base connected, redirectPort is changed from 8443 to 443
(and 8080 to 80). <Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" />
We also configure SSL connector, using port 443, change to NIO based protocol (the default requires extra native library)
org.apache.coyote.http2.Http2Protocol
, and set the file paths to the .pem
files generated by certbot. <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig> <Certificate certificateKeyFile="/etc/letsencrypt/live/www.simolecule.com/privkey.pem" certificateFile="/etc/letsencrypt/live/www.simolecule.com/cert.pem" certificateChainFile="/etc/letsencrypt/live/www.simolecule.com/chain.pem" type="RSA" /> </SSLHostConfig> </Connector>
Step 3 (optional)
If a client tries to visit the HTTP site we want to redirect them to HTTPS. To do this we edit
$CATALINA_HOME/confg/web.xml
adding this section to the end of the <web-app>
block<security-constraint> <web-resource-collection> <web-resource-name>Entire Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
No comments:
Post a Comment
Note: only a member of this blog may post a comment.