LetsEncrypt: Tomcat API Webapp with SSL on Apache
We assume the following is performed before proceeding.
- Linux server installed
- Apache Tomcat running on port 8080 on the same machine.
- Domain has been attached to this server (e.g. api.example.com)
Considering you have a web app running on tomcat. Please check if the following is accessible and working.
Why not use certbot on Tomcat
- Tomcat usually doesn’t bind to port 80
- Cerbot certificate renewal may be challenging with tomcat.
- Tomcat uses Java Keystores but certbot creates pem files.
- Cerbot needs graceful reloads, tomcat doesn't go well with that.
There are many benefits of using Apache in front of tomcat. This leaves tomcat from the burden of managing SSL and proxy.
Install Apache Server
sudo apt-get install apache2
Apache Server is installed on default port 80. This should open the default apache page. http://api.example.com/
Let's Encrypt SSL on Apache
Let's encrypt lets you install free SSL certificate which can be renewed. In this article, we are going to install let's encrypt on apache and forward the requests to tomcat.
sudo apt-get update sudo apt-get install software-properties-common sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install python-certbot-apache sudo certbot --apache
Follow the instructions. Agree to terms.
You need to map the domain name to the IP on this server. Use the same domain name
for the SSL. For example,
Remove the default SSL file provided by the Apache.
sudo rm /etc/apache2/sites-available/000-default-ssl.conf
Since we did not alter anything in apache. Certbot will generate the following conf file.
sudo nano /etc/apache2/sites-available/000-default-le-ssl.conf
We will add forwarding to this file. You can place it below the line containing
ServerAdmin webmaster@localhost DocumentRoot /var/www/html ProxyPreserveHost On ProxyPass / http://127.0.0.1:8080/ ProxyPassReverse / http://127.0.0.1:8080/
DocumentRoot here is useless. All the forwarding will be done to tomcat.
Enable Proxy Modules
Now enable the following modules before restarting apache server
sudo a2enmod proxy sudo a2enmod rewrite sudo a2enmod proxy_http sudo service apache2 restart
If you have port 443 opened on your linux machine
https://api.example.com/webapp will take to the desired webapp
If correctly configured, apache should restart properly and all requests sent to
will be forward to
Close Port 8080
Also, care to close the 8080 port from public access so that the users cannot directly open the tomcat server.
The above command helps you to test if everything is configured correctly with apache
Apache SSLCertificateFile error: Does not exist or is empty.
If you get this error run the command given below
The error will tell you the file from /etc/letsencrypt/live but they are linked from /etc/letsencrypt/archive so changing permission for /etc/letsencrypt/live will not help
sudo chmod 0755 /etc/letsencrypt/archive