Re: Let's Encrypt with Tomcat?

Fri, 27 Dec 2019 15:33:47 -0800 

As it happens, one way or another (and I'm not entirely sure
*which* way; I'd have to look at my notes), we *do* have Tomcat
listening directly on 443 (but not 80; nothing there is currently
listening on 80) on that particular EC2 instance (and I'm pretty
sure we have HTTPD running on a *different* port, for the SVN and
Trac sharing the box).



Hmm. It seems I was mistaken about two things: (1) that the Tomcat 
server under discussion is listening *directly* on 443, and (2) that I 
could find my notes on how I set the box up.



What I can find is the server.xml file, and the active connector 
definition. The thing that catches my eye is

port="8443" proxyPort="443"


I hope that indicates how it is I'm getting this to look like port 443 
to the outside world, because I honestly can't remember what I did (even 
though it looks like it's only been six months since I did it).



I now know one thing that I apparently did *not* do: I did *not* have 
HTTPD handle the public-facing TLS for Tomcat, because when I swapped in 
a self-signed keystore on Tomcat, and used the new "Re-read TLS 
configuration files" button in Manager, the self-signed cert is what was 
visible to browsers.



Trac and SVN do indeed appear to be set up through HTTPD. And the Tomcat 
and Apache files appear to share a common keypair and certificate, and 
I'm pretty sure I remember *starting with* a Java Keystore (since it's 
very familiar territory for me, and since I have KeyStore Explorer on my 
Mac), and exporting files from it, i.e., (the names have been changed to 
protect the innocent), I started with "/etc/tomcat8/foo.bar.net.ks," and 
derived "/etc/pki/tls/certs/foo.bar.net.cer," 
"/etc/pki/tls/certs/foo.bar.net.ca.crt," and 
"/etc/pki/tls/private/foo.bar.net.key" from it.



Am I to understand that Tomcat 8.5.40 can use the ".cer," ".ca.crt" and 
".key" files directly, instead of the Java Keystore file? If so, then 
that could potentially simplify things: if I have HTTPD listen on 80, 
and Tomcat sharing the same actual certificate and private key *files* 
that HTTPD uses, then the only other thing I have to automate would be a 
cron job to either restart Tomcat, or just do a programmatic "re-read 
TLS configuration," whenever the regular Let's Encrypt job for HTTPD 
completes.


Does any of this make any sense at all, or am I sucking antimatter?

--
James H. H. Lampert

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

























					Reply via email to