tomcat 8.5 이상에서 letsencrypt certbot 사용하기

tomcat 8.5 이상에서  letsencrypt certbot 사용하기 

참고사이트 https://gasimof.com/install-free-ssl-certificate-for-tomcat/

1 Install Let’s Encrypt certificate

I actually installed Let’s Encrypt certificate for WordPress on Apache before and it was not so painful, because Apache is officially supported by Certbot – the tool for installing Let’s Encrypt certificates. But Tomcat is not supported and this makes the installation a bit complicated.

1.1 Prerequisites:

• Tomcat 8.5 or higher. Certbot creates pem certificates for you and Tomcat 8.5 supports pem certificates out-of-box. For previous versions, you will need to create a java keystore file and import the created pem files into the keystore file.
• Java 8 or higher. Make sure that tomcat uses Java 8 or higher.  Java 7 didn’t work for me, because it lacked some ciphers, which were necessary to make the generated Let’s Encrypt certificate work.

Ok, let’s get started.

1.2 Download the Certbot tool

First, I downloaded the Certbot tool:

$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto

1.3 Fetch SSL certificates

Then I fetched the SSL certificates for my website. Certbot needs a web server for that. Here you have 2 choices:

1. using –standalone parameter, which will spin a temporary built-in web server. But, if you already have a running web server, you need to shut it down first.
2. using –webroot parameter and showing the webroot of you running web server. This way certbot can use your web server to do its job.

I chose to use the –webroot parameter, because I was doing it in the production and shutting down the production server was not an option.

$ sudo /path/to/certbot-auto certonly --webroot -w /path/to/apache-tomcat-8.5/webapps/ROOT -d example.com

This will create the following certificates:

• Certificate: /etc/letsencrypt/live/YOUR_WEBSITE_HERE/cert.pem
• Chain: /etc/letsencrypt/live/YOUR_WEBSITE_HERE/chain.pem
• Full Chain: /etc/letsencrypt/live/YOUR_WEBSITE_HERE/fullchain.pem
• Private Key: /etc/letsencrypt/live/YOUR_WEBSITE_HERE/privkey.pem

1.4 Edit server.xml

Now it’s time to let tomcat know, where the newly generated certificates are. Hence I edited the HTTPS connector in the server.xml like this:

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
            <Certificate certificateKeyFile="/etc/letsencrypt/live/YOUR_WEBSITE_HERE/privkey.pem"
                         certificateFile="/etc/letsencrypt/live/YOUR_WEBSITE_HERE/cert.pem"
                         certificateChainFile="/etc/letsencrypt/live/YOUR_WEBSITE_HERE/chain.pem"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

Note that I used Http11NioProtocol instead of the default Http11AprProtocol, because Http11AprProtocol didn’t work out-of the box and I needed to install more packages to make it work. You can find a short explanation about the difference between these protocols here.

Then I restarted the tomcat server.

그리고 나서 

    <Connector port="8080" protocol="HTTP/1.1"

               connectionTimeout="20000"

               redirectPort="443" />

같이 수정도 해준다. 

2 Auto-renew certificates

Let’s Encrypt certificates are usually valid for 90 days, hence you need to renew them periodically. You can test automatic renewal for your certificates by running this command:

$ sudo ./path/to/certbot-auto renew --dry-run

필수 Crontab 을 실행시 root 계정으로 로그인한뒤 1번은 ./path/to/certbot-auto renew 을 실행 시켜 주다 

그래야 필요한 root 에서 실행 된다.  

root crontab을 실행 했을때 이상하게 업데이트 가 안되었는데  certbot-auto 을 실행하는데 

필요한 인스톨이 안되어 있었다....

If that appears to be working correctly, you can run it periodically by adding the following line to crontab:

* * * */2 * /home/ubuntu/certbot-auto renew

Note that certbot recommends to run it twice a day. It won’t do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let’s Encrypt-initiated revocation happened for some reason.

추가적으로 중요한것

---

추가적으로 certbot-auto 는 꼭 인증 받으려는 서버에서 80 포트와 443 포트를 꺼야 된다

그리고 --webroot 옵션은 톰캣이 사용 될때 사용하는것이고 

일반적으로는 --webroot 옵션을 제거 하면 선택 커맨터가 나오는데

거기서 standalone 을 선택해 준다. 

그리고 certbot-auto 에서 서버 포트를 열어서 인증 하므로 certbot-auto 을 실행 하는 IP와 도메인의 IP가 동일하게 설정 되어야 한다.

이부분때문에 상당히 시행 착오를 거쳤다.