How to Setup free Let's Encrypt SSL on Ubuntu and Apache Tomcat

Introduction

Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. In this tutorial, you will use Certbot to obtain a free SSL certificate for Apache Tomcat on Ubuntu 18.04 and set up your certificate to renew automatically.

Prerequisites

  1. Ubuntu Server 18.04
  2. Apache Tomcat
  3. A registered domain name. i.e geekscoder.com
  4. An A record (for example geekscoder.com) pointing to your server’s public IP address.
  5. An A record (for example www.geekscoder.com) pointing to your server’s public IP address.

Step 1 — Installing Certbot

First, add the repository:

sudo add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot

Step 2— Create the SSL certificate for geekscoder.com.

certbot certonly --standalone -d geekscoder.com

You will get an output like this.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for geekscoder.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/geekscoder.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/geekscoder.com/privkey.pem
   Your cert will expire on 2021-08-17. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Congrats, you are done. Yes, that is all you have to do. it will generate pem files in the /etc/letsencrypt/live/geekscoder.com/ folder.

Step— 3 Copy generated pem files to tomcat conf directory.

cd /etc/letsencrypt/live/geekscoder.com
cp cert.pem /opt/tomcat/conf
cp chain.pem /opt/tomcat/conf
cp privkey.pem /opt/tomcat/conf

Step—4 Edit server.xml and configure the HTTPS connector.

Open the server.xml file in your favorite editor. find the commanded XML block like this.

<!--<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
              maxThreads="150" SSLEnabled="true" >
              <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
     <SSLHostConfig>
      <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                         certificateFile="conf/localhost-rsa-cert.pem"
                        certificateChainFile="conf/localhost-rsa-chain.pem"type="RSA" />
</SSLHostConfig>
</Connector> -->

after the edit, the above code should look like this.

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
        maxThreads="150" SSLEnabled="true">
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
  <SSLHostConfig>
    <Certificate certificateFile="conf/cert.pem"
                 certificateKeyFile="conf/privkey.pem"
                 certificateChainFile="conf/chain.pem" type="RSA" />
  </SSLHostConfig>
</Connector>

Now start your tomcat, open your browser and go to https://geekscoder.com.

Refresh your certificate every 90 days

SSL certificates provided by Let’s Encrypt expire after 90 days, unless you refresh them.

Refreshing is easy. First shutdown Apache Tomcat.

certbot certonly --standalone -d geekscoder.com

and follow the same from Step 3.