Set up SSL
SSH into the new serverEnsure that the server has been fully installed, and an instance has been installed as wellTo install run:ts install
Solution 1, SSL offload using nginxInstall nginx, run:ts install-proxySetup a proxy, run:ts setup-proxy
Solution 2, SSL connector in TomcatRun:ts install-routing
Install certbot, run:ts install-sslWhen the install finishes, select Y, or run:ts setup-sslFollow the prompts
Old implementation
The following is the old, manual, way of installing SSL certs.
Tomcat 7 automatic installation
Using the TS commandline tools, you specify the domain and your email
tsinstallssl.sh server.acme.com [email protected]
After a couple of minutes you will be rquired to enter the domain an email again, and accept the terms of service
Tomcat 7 manual installation
Install and configure letsencrypt
Download an build certbot (letsencrypt client)
sudo yum -y install python27-devel git (deprecated)sudo yum -y install python36 python36-pip
sudo yum -y install git-all
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
/opt/letsencrypt/letsencrypt-auto --debug --agree-tosCreate a config file
sudo touch /etc/letsencrypt/config.ini
sudo chmod 777 /etc/letsencrypt/config.ini
sudo echo "rsa-key-size = 4096" >> /etc/letsencrypt/config.ini
sudo echo "email = [email protected]" >> /etc/letsencrypt/config.iniGenerate PKCS12 certificate
Generate a certificate
sudo mkdir /usr/share/tomcat7/webapps/ROOT
/opt/letsencrypt/letsencrypt-auto certonly --debug --webroot -w /usr/share/tomcat7/webapps/ROOT -d letsencrypt.tempusserva.dk --config /etc/letsencrypt/config.ini --agree-tos Convert to pkcs12 format
sudo -s
cd /etc/letsencrypt/live/letsencrypt.tempusserva.dk
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:TempusServaSecret
chmod 755 bundle.pfx
chmod 755 /etc/letsencrypt/live Press: ctrl + dInstall certificate in Tomcat
Edit Tomcat configuration
sudo nano /usr/share/tomcat7/conf/server.xml <Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/etc/letsencrypt/live/letsencrypt.tempusserva.dk/bundle.pfx" keystorePass="TempusServaSecret"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"
clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"/>
Reboot the server
service tomcat7 restartAutomated renewals
Before starting test that the renewal process works
/opt/letsencrypt/letsencrypt-auto renew --dry-runMake sure the path is accessible from cron
sudo chmod go+x /etc/letsencrypt/archive
sudo chmod go+x /etc/letsencrypt/liveMake a script file
sudo nano /usr/bin/tsrefreshcerts.sh.... containing the following commands
/opt/letsencrypt/letsencrypt-auto renew
cd /etc/letsencrypt/live/letsencrypt.tempusserva.dk
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:TempusServaSecret
/usr/bin/tstomcatrestart.shNow add a job to the crontab
sudo crontab -l > tempcron
echo "0 0 1 * * /usr/bin/tsrefreshcerts.sh" >> tempcron
sudo crontab tempcron
rm tempcronProblems with Amazon Linux?
In case the autorenewal process fails try updating the dependencies and pip
sudo /opt/eff.org/certbot/venv/bin/pip2 install cryptography zope interface
sudo /opt/eff.org/certbot/venv/bin/pip2 install --upgrade pip
sudo rsync -avz /opt/eff.org/certbot/venv/lib64/python2.7/dist-packages/ /opt/eff.org/certbot/venv/lib/python2.7/dist-packages/Still got problems with Amazon Linux?
In case certbot cant find the root folder try and run it manually
sudo /opt/letsencrypt/letsencrypt-auto certonlyChoose the following values when prompted
2: Place files in webroot directory (webroot)
<domain>
2: Renew & replace the cert (may be subject to CA rate limits)
/usr/share/tomcat7/webapps/ROOT/Need manual crontab install?
Steps
- sudo crontab -e
- press INSERT
- move to bottom of file
- paste this
0 0 1 * * /usr/bin/tsrefreshcerts.sh- press ESC
- press :wq