How to Setup free Let's Encrypt SSL on Ubuntu and Apache Tomcat


Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. In this tutorial, you will use Certbot to obtain a free SSL certificate for Apache Tomcat on Ubuntu 18.04 and set up your certificate to renew automatically.


  1. Ubuntu Server 18.04
  2. Apache Tomcat
  3. A registered domain name. i.e
  4. An A record (for example pointing to your server’s public IP address.
  5. An A record (for example pointing to your server’s public IP address.

Step 1 — Installing Certbot

First, add the repository:

sudo add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot

Step 2— Create the SSL certificate for

certbot certonly --standalone -d

You will get an output like this.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification...
Cleaning up challenges

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2021-08-17. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

Congrats, you are done. Yes, that is all you have to do. it will generate pem files in the /etc/letsencrypt/live/ folder.

Step— 3 Copy generated pem files to tomcat conf directory.

cd /etc/letsencrypt/live/
cp cert.pem /opt/tomcat/conf
cp chain.pem /opt/tomcat/conf
cp privkey.pem /opt/tomcat/conf

Step—4 Edit server.xml and configure the HTTPS connector.

Open the server.xml file in your favorite editor. find the commanded XML block like this.

<!--<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
              maxThreads="150" SSLEnabled="true" >
              <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
      <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                        certificateChainFile="conf/localhost-rsa-chain.pem"type="RSA" />
</Connector> -->

after the edit, the above code should look like this.

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
        maxThreads="150" SSLEnabled="true">
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <Certificate certificateFile="conf/cert.pem"
                 certificateChainFile="conf/chain.pem" type="RSA" />

Now start your tomcat, open your browser and go to

Refresh your certificate every 90 days

SSL certificates provided by Let’s Encrypt expire after 90 days, unless you refresh them.

Refreshing is easy. First shutdown Apache Tomcat.

certbot certonly --standalone -d

and follow the same from Step 3.