Put subdomain under https using Tomcat9 as webserver

by Massimiliano Moraca   Last Updated August 01, 2020 11:02 AM - source

I've Tomcat9 installed on a server with Ubuntu 20.04. My aim is put under https this subdomain: gis.massimilianomoraca.it, because I need to use a secure connection for some Geoserver's instances.

Since with my main site I've used Let's Encrypt I want to use the same service for the subdomain. The main site is on a server with Ubuntu 18.04 and use Nginx because my site is based on Django. Two years ago I've followed this simple step the put under https my main site.

For Tomcat9 I need to follow this procedure. Following this procedure I'm ba able to install Tomcat9 and GeoServer without problems.

The problems cames when I try to put the server on https. I've generated the keypair and the certificate using the previous procedure from Let's Encrypt. Indeed I've this files inside /etc/letsencrypt/live/:

cert.pem chain.pem fullchain.pem privkey.pem

Then I must to convert keypair and certificate to java keystore. I do this:

openssl pkcs12 -export -out /etc/letsencrypt/live/gis.massimilianomoraca.it/gis.massimilianomoraca.it_fullchain_and_key.p12 \
    -in /etc/letsencrypt/live/gis.massimilianomoraca.it/fullchain.pem \
    -inkey /etc/letsencrypt/live/gis.massimilianomoraca.it/privkey.pem \
    -name tomcat9

Now I can convert that PKCS12 to a JKS:

keytool -importkeystore \
    -deststorepass password -destkeypass password -destkeystore /etc/letsencrypt/live/gis.massimilianomoraca.it/gis.massimilianomoraca.it.jks \
    -srckeystore /etc/letsencrypt/live/gis.massimilianomoraca.it/gis.massimilianomoraca.it_fullchain_and_key.p12  -srcstoretype PKCS12 -srcstorepass password \
    -alias tomcat9

And I follow this procedure for end the process:

mkdir /usr/local/tomcat9/certbot
copy gis.massimilianomoraca.it.jks inside certbot
chown -R tomcat9:tomcat9 /usr/local/tomcat9

Edit the Tomcat conf/server.xml and add an SSL connector:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true"
     clientAuth="true" sslProtocol="TLS"
     keystoreType="JKS" keystorePass="password"
     truststoreType="JKS" truststorePass="password" />

and comment this:

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

Obviously stop and start Tomcat9.

I see http://gis.massimilianomoraca.it:8080/ whitout problems but if I try to go to https I see this error:

This site can’t provide a secure connectiongis.massimilianomoraca.it sent an invalid response. ERR_SSL_PROTOCOL_ERROR

Related Questions

Tomcat own certificate SSL

Updated August 02, 2020 21:02 PM

443 8443 iptable redirection

Updated May 10, 2019 09:02 AM

Configure ssl certificate for owncloud

Updated August 29, 2019 16:02 PM

{server} TLS - handshake timeout

Updated June 15, 2017 22:02 PM