LetsEncrypt: Tomcat API Webapp with SSL on Apache

LinkedIn Tweet Facebook
LetsEncrypt: Tomcat API Webapp with SSL on Apache


We assume the following is performed before proceeding.

Check Servers

Considering you have a web app running on tomcat. Please check if the following is accessible and working.


Why not use certbot on Tomcat

There are many benefits of using Apache in front of tomcat. This leaves tomcat from the burden of managing SSL and proxy.

Install Apache Server

sudo apt-get install apache2

Apache Server is installed on default port 80. This should open the default apache page. http://api.example.com/

Let's Encrypt SSL on Apache

Let's encrypt lets you install free SSL certificate which can be renewed. In this article, we are going to install let's encrypt on apache and forward the requests to tomcat.


sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache 

sudo certbot --apache

Follow the instructions. Agree to terms. You need to map the domain name to the IP on this server. Use the same domain name for the SSL. For example, api.example.com

Remove the default SSL file provided by the Apache.

sudo rm /etc/apache2/sites-available/000-default-ssl.conf

Proxy Configuration

Since we did not alter anything in apache. Certbot will generate the following conf file.

sudo nano /etc/apache2/sites-available/000-default-le-ssl.conf

We will add forwarding to this file. You can place it below the line containing DocumentRoot

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

ProxyPreserveHost On

ProxyPass /
ProxyPassReverse /

DocumentRoot here is useless. All the forwarding will be done to tomcat.

Enable Proxy Modules

Now enable the following modules before restarting apache server

sudo a2enmod proxy
sudo a2enmod rewrite
sudo a2enmod proxy_http
sudo service apache2 restart

If you have port 443 opened on your linux machine https://api.example.com/webapp will take to the desired webapp

If correctly configured, apache should restart properly and all requests sent to


will be forward to

Close Port 8080

Also, care to close the 8080 port from public access so that the users cannot directly open the tomcat server.


apachectl configtest

The above command helps you to test if everything is configured correctly with apache

Apache SSLCertificateFile error: Does not exist or is empty.

If you get this error run the command given below

The error will tell you the file from /etc/letsencrypt/live but they are linked from /etc/letsencrypt/archive so changing permission for /etc/letsencrypt/live will not help

sudo chmod 0755 /etc/letsencrypt/archive