-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mladen,
On 9/30/16 10:34 AM, Mladen Adamović wrote: > Hi all, > > I'm running 3 servers with Tomcat (migrated from Glassfish which is > not maintained well imo). But documentation is kind of not the best > for configuring HTTPS/SSL. > > I've written my own tutorial how to do that using Letsencrypt and > Tomcat native: > https://mladenadamovic.wordpress.com/2016/09/06/configure-tomcat-with- ssl-on-ubuntu-minimal/ > > As you can notice from the tutorial: - I'm running 8.5.5 from > website (not prepackaged with comes with Ubuntu) - run Tomcat as > non-root user and do ip tables forwarding because of that - > implemented my own ACME support for Letsencrypt (it's easy) > > I'm using it for my own purposes, but if people have suggestions to > improve it, I'd be happy to consider it. > > I hope it will be useful to other people as well. Thanks for doing this guide. I'm mostly interested in the Let's Encrypt part, because everything else is very straightforward IMO. I have some comments about the LE stuff. First, this is a bad idea: chmod o+rx /etc/letsencrypt chmod o+rx /etc/letsencrypt/archive chmod o+rx /etc/letsencrypt/archive/online-utility.org chmod o+rx /etc/letsencrypt/live That gives world-readable access to your server's private keys. There are better ways to allow the Tomcat user to read these certificates. For example, on my server, the /etc/letsencrypt/archive directory and contents are group-owned by a group called "ssl-cert". It's better to add the Tomcat user to the ssl-cert group than to open the certs and keys to the whole world. Second, the ACME servlet doesn't need to be mounted on /* -- you can just as easily mount it on /.well-known/acme/*. Better yet, just configure the <Context> to contain some <PreResources> that mounts a special directory (/tmp/letsencrypt/public_html/.well-known/acme-challenge/ in your example) into the URL space of the application. Less code = less opportunities for errors. Better even still, package a web application called ".well-known" with the complete configuration necessary. Then all that is required is to drop the WAR file into Tomcat's auto-deploy directory (CATALINA_HOME/webapps) and allow LE to authentication your control over the server. Third, I haven't spent much time with LE yet, but I believe you can simply "renew" your cert instead of requesting a new one: $ /path/to/certbot renew This will perform the steps for renewal that were originally oser to obtain the certificate. So, I believe, if you used the "certonly" plugin, then it will again only use the "certonly" plugin. Similarly, if you use the "webroot" plugin, it will be used again. For Tomcat, you might have to adjust the caching configuration to get it to work properly. I for one am interested in getting official support for Tomcat into the command-line tools for Let's Encrypt. I tried to understand how certbot works, but it's clear that I'd need a curated guide to building a new plug-in for Tomcat. When I have some time (ha ha), I'll reach-out to the LE folks to see what it would take. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJX9BzDAAoJEBzwKT+lPKRYbzUP/1ig3YzkHtomMXSWKBKzB8Bm Awmw4cip3WmbOif0psALGGOpMWMBNtiHNgJjzB+uZRLIB0f/czw26BR+hhK4wVnS gyduMklYZk3V16ukcPGVaf7Cw8JEJVpvXyTr4mOMrPULUatAla/yfbN3mR/cuyee M+p/AiKjm1OOtLlrokKKpfTKrWqYSs9I6+aPOAD67gkPyz8AA+CkvzvbPqBosfHi vScx4eUFVKkshjyWhE6NOmQn2zrSiK9t5K+Zl0UyKZxzu6DmbF+3UmDuNxcZ3LlU h4va4xkNxzBzuaJ4y50eS4IrhfiVR6fq+ESdkzCkvzFCyU/s1pESxFKOVdVLV1Fe 9v1N6KAVYzuOOuZ7R7kaNFZ30sbDRK1WdZek+NaCtGro828Ql+D18xIdZ6px/JVY HVsjdoNDvG/XsVqEDuAYvMd6FBuz/X7NWk+z56bSqrkcKw/caP/masyyIo6D6I91 KpWcc/bQl1L6Y+xTeH8y2L03DFfLxQyTCZKEdJpG34P5JWr3bLvUJK5mZGA/pJAL 9r/GShgwRizpdJY681tlJ5ikS7Mnp/oSbbeaw+fOBeb3vBnuEIuS4SgTSAiQsytx BDG0293yaMvfuQv0hH0/+6eM/7sPtX9OUX14wwBxrcGTjMhYG1szNxuhAYhUx7vI 7evywPDYtUiB8EK59s4E =rk6+ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
