Categories
Linux Mastering Development Ubuntu

Put subdomain under https using Tomcat9 as webserver

I’ve Tomcat9 installed on a server with Ubuntu 20.04. My aim is put under https this subdomain: gis.massimilianomoraca.it, because I need to use a secure connection for some Geoserver’s instances.

Since with my main site I’ve used Let’s Encrypt I want to use the same service for the subdomain. The main site is on a server with Ubuntu 18.04 and use Nginx because my site is based on Django. Two years ago I’ve followed this simple step the put under https my main site.

For Tomcat9 I need to follow this procedure. Following this procedure I’m ba able to install Tomcat9 and GeoServer without problems.

The problems cames when I try to put the server on https. I’ve generated the keypair and the certificate using the previous procedure from Let’s Encrypt. Indeed I’ve this files inside /etc/letsencrypt/live/:

cert.pem
chain.pem
fullchain.pem
privkey.pem

Then I must to convert keypair and certificate to java keystore. I do this:

openssl pkcs12 -export -out /etc/letsencrypt/live/gis.massimilianomoraca.it/gis.massimilianomoraca.it_fullchain_and_key.p12 \
    -in /etc/letsencrypt/live/gis.massimilianomoraca.it/fullchain.pem \
    -inkey /etc/letsencrypt/live/gis.massimilianomoraca.it/privkey.pem \
    -name tomcat9

Now I can convert that PKCS12 to a JKS:

keytool -importkeystore \
    -deststorepass password -destkeypass password -destkeystore /etc/letsencrypt/live/gis.massimilianomoraca.it/gis.massimilianomoraca.it.jks \
    -srckeystore /etc/letsencrypt/live/gis.massimilianomoraca.it/gis.massimilianomoraca.it_fullchain_and_key.p12  -srcstoretype PKCS12 -srcstorepass password \
    -alias tomcat9

And I follow this procedure for end the process:

mkdir /usr/local/tomcat9/certbot
copy gis.massimilianomoraca.it.jks inside certbot
chown -R tomcat9:tomcat9 /usr/local/tomcat9

Edit the Tomcat conf/server.xml and add an SSL connector:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true"
     clientAuth="true" sslProtocol="TLS"
     keystoreFile="${catalina.home}/certbot/gis.massimilianomoraca.it.jks"
     keystoreType="JKS" keystorePass="password"
     truststoreFile="${catalina.home}/certbot/gis.massimilianomoraca.it.jks"
     truststoreType="JKS" truststorePass="password" />

and comment this:

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

Obviously stop and start Tomcat9.

I see http://gis.massimilianomoraca.it:8080/ whitout problems but if I try to go to https I see this error:

This site can’t provide a secure connectiongis.massimilianomoraca.it
sent an invalid response. ERR_SSL_PROTOCOL_ERROR

Leave a Reply

Your email address will not be published. Required fields are marked *