Auto Renew Let's Encrypt Java Keystore (2017-11-07)


Let's Encrypt is a relatively new service that provides free SSL certificates. SSL is as important as ever with many popular browsers now showing popups for form submissions that don't utilize SSL; not to mention the fact that Google has been ranking SSL encrypted pages higher than non-encrypted for a couple of years now. Its pretty easy to get setup with your free cert by visiting the Let's Encrypt website. Whilst the service is great - it is quite reliant on the certbot which auto renews your certificate; otherwise your cert only lasts a few months. A cursory glance, and you'll see that Apache Tomcat isn't supported by certbot.

My Solution:

First - there are a couple of dependencies to install. Make sure you have certbot installed as described here. This script also assumes that wget and java are already installed. For example on CentOS 7:

yum install epel-release
yum -y install yum-utils
yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
sudo yum install certbot wget

My solution assumes the use of a java keystore; it pays to mention that things can be simpler without a java keystore - certbot automatically creates pem files, which if you are using a version of Tomcat greater than 8.5.4, you can install the native DLL/Binary in order to use straight up PEM files. Other than that - its pretty simple, just create a bash file using your favourite editor (e.g. vi, nano etc...) at the location /etc/cron.monthly and make it executable:

chmod 777 /etc/cron.monthly/

And then just paste the following code into your file:

working_dir=/root/ #store temporary files #put your domain here as well as below
keytool_path=/usr/java/jdk1.8.0_121/bin/keytool #Change to point to your keytool path
webroot=/usr/share/apache-tomcat-8.5.13/webapps/ROOT/ #Change to point to your webroot
cd $working_dir
$keytool_path -genkey -alias $keystore_alias -keyalg RSA -keystore $keystore_dir$temp_keystore -keysize 2048 -storepass $keystore_pass -dname ", ou=Internet Services, o=Your Company Inc., l=Your City, st=Your State (non abbreviated), c=Your 2 letter country code" -keypass $keystore_pass
$keytool_path -certreq -alias $keystore_alias -keyalg RSA -file request.csr -keystore $keystore_dir$temp_keystore -storepass $keystore_pass # -ext #uncomment to support the non-www version of your domain as well
certbot certonly --csr request.csr --webroot -w $webroot -d $mydomain
mv isrgrootx1.pem.txt root.pem
$keytool_path -import -alias root -keystore $keystore_dir$temp_keystore -trustcacerts -file root.pem -storepass $keystore_pass -noprompt
$keytool_path -import -alias intermed -keystore $keystore_dir$temp_keystore -trustcacerts -file 0000_chain.pem -storepass $keystore_pass -noprompt
$keytool_path -import -alias $keystore_alias -keystore $keystore_dir$temp_keystore -trustcacerts -file 0000_cert.pem -storepass $keystore_pass -noprompt
rm -rf *.pem
rm -rf request.csr
service tomcat stop
sleep 5
rm -rf $keystore_dir$keystore_file
mv $keystore_dir$temp_keystore $keystore_dir$keystore_file
service mariadb restart
sleep 5
service tomcat start

Edit your server.xml file to overwrite the previous values for the container. Make sure that the keystore_file, keystore_dir, keystore_alias, and keystore_pass from the above file match what you edit here.

<Connector port="80" protocol="HTTP/1.1"
redirectPort="443" />

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" address="YOUR_IP_ADDRESS" keyAlias="keystore_alias" keystoreFile="keystore_dir/keystore_file" keystorePass="keystore_pass" connectionTimeout="300" />

Then just manually run the script to get things started for the first time (as you have to manually agree to the terms & conditions etc...) after that it will run automatically without user interaction:


Check the console output for any errors - if there aren't any; then boom - you now have a perpetual free SSL certificate for your Apache Tomcat server that is patched for modern exploits such as heartbleed and poodle. If you do find errors, you may want to consult the documentation as to how to change over to the sandbox version of Let's Encrypt, as if you try this unsuccessfully too many times; you will get blocked for a week from the production service for that URL.

© Copyright Griffin Software 2013