Certbot Tomcat

Posted onby admin

Certbot is usually meant to be used to switch an existing HTTP site to work in HTTPS (and, afterward, to continue renewing the site’s HTTPS certificates whenever necessary). Some Certbot documentation assumes or recommends that you have a working web site that can already be. Install Let’s Encrypt with Tomcat. Certbot is a tool that allows us to automatically generate and download Let’s Encrypt certificates in a very easy way. So the first step is to install it. Sudo apt update sudo apt install certbot. Then, generate the certificates using the following command. Sudo certbot certonly – standalone -d domain.

  1. Certbot Tomcat
  2. Certbot Tomcat Vs
  3. Apache Tomcat Certbot
  4. Certbot Tomcat Download
  5. Certbot Tomcat Reviews

Need Hosting? Try ours, it's fast, reliable and feature loaded with support you can depend on.

SSL/TLS certificates are used to encrypt the incoming and outgoing data from server to client and vice versa. SSL works on public key authentication mechanism. Whenever a client is sending any information to server, if their is SSL working then the browser will encrypt the data using the public key provided by server and then it will send the data to server. Once the data is received at server, it decrypts it with the private key which resides on the server. The advantage here is that if an attacker is intercepting the data, he will not be able to decrypt and understand the data without private key.

Installing the SSL/TLS certificate on a Linux server is a complex job, but EFF developed Certbot, a tool which automates the process of installing and configuring SSL on Apache webserver makes it easier. Certbot is client for Let's Encrypt project, and was previously known as letsencrypt. Using Certbot we can automatically install SSL's on Apache web server for free as it is an open source project.

In this tutorial we will learn how to secure our website running on Apache with an SSL/TLS certificate from Let's Encrypt using Certbot in Ubuntu 14.04 and Ubuntu 16.04 server. We will also learn to automate the renewal of certificates using Cron Jobs.


You will need a VPS or Cloud Server with any machine running on either Ubuntu 14.04 or Ubuntu 16.04. You will need an A record pointed towards the IP address of your server. Because when we will be installing the SSL certificate installer will automatically check if domain is pointed towards server or not. You can easily point your domain to the IP address using A record through DNS management by logging into the domain control panel of your domain.

In this tutorial we will consider that you are logged in to your server using non root account. If you are logged in using root account, simply omit using sudo command before the commands we will be using.

Additionally you will need an Apache web server installed on your machine. If you do not have Apache installed in your machine, you can do it by running the following command.

This command will install the Apache web server in your machine. If you now access your website using your server IP or domain, you should see Apache default page. For more information on installing Apache or LAMP stack, you may read How to Install LAMP with phpMyAdmin on Ubuntu.

Install Certbot SSL on Ubuntu 14.04

Certbot is not prepacked on this version of ubuntu so you will have to download it from it's website. You can either download the installer script from Certbot's official website or you can clone the files from github. If you want to download the script from Certbot's website then run the following command.

It's a small script hence will not take more then seconds to download. Now you will have to give the script privileges to execute. Run the following command

Now you can run the installer script by executing following command.

An alternative method to download the installer script from official repository of Certbot, using git. Download git using the following command.

Once git is installed, run the following command to clone the repository.

Now run the following command to change the directory.

From here, you can also run the same command to run the installer, which is -

If you run the above command then the installer script will guide you through the installation interactively. If you run the installer script without any arguments then the script will download all the dependencies it needs to install the SSL certificate. It will ask you if you want to continue with installation, before downloading and installing dependencies, enter y and continue with the installation.

Once all the dependencies have been installed, it will check your configuration files to find the domains, if there is none, then it will ask you to enter your domain names. You can enter more the one domain, separated by comma or space. Make sure that the domains you are entering are created in Virtual Hosts configuration files.

HP_NO_IMG/data/uploads/users/1db92c87-dcef-4179-9435-27572e5eb57c/1018398591.png' alt=' />

Press the OK button to proceed. Now it will ask you to enter your email, this email will be used for urgent notices and lost key recovery.

HP_NO_IMG/data/uploads/users/1db92c87-dcef-4179-9435-27572e5eb57c/1901038619.png' alt=' />

Press the OK button again and you will be asked to accept the terms and conditions. Click on the Agree button to proceed further. Next you will be asked whether HTTPS is required or optional. If you choose easy then your website can be browsed using HTTP and HTTPS both. If you choose secure, then if somebody tries to browse your website with HTTP connection, he will be automatically redirected to secure connection or HTTPS.Choose accordingly.

HP_NO_IMG/data/uploads/users/1db92c87-dcef-4179-9435-27572e5eb57c/131830748.png' alt=' />

Now you will be shown an message that you have successfully enabled SSL on the domains you have entered.

HP_NO_IMG/data/uploads/users/1db92c87-dcef-4179-9435-27572e5eb57c/1880646937.png' alt=' />

Some important information will be shown to you in which you will be told about the expiry of the certificate, which is 90 days from the date of installation. You may now navigate to the directory /etc/letsencrypt/live to check the keys associated with your domain. It is strongly advised that you take regular backup of the directory /etc/letsencrypt because this directory contains all of your account credentials.

Finally you can verify the installation of SSL by going to -

If you see a green padlock at the corner of the domain, your website is now secured.

HP_NO_IMG/data/uploads/users/1db92c87-dcef-4179-9435-27572e5eb57c/577884551.png' alt=' />

Alternatively you can go to -

It will tell you all the information and grade of your SSL certificate.

If you'd like you can give additional arguments while installing the cert. Use -d followed by the domain name if you want to install the certificate for more domains or subdomains. For example if you want to install the certificate for mydomain.com as well as www.mydomain.com and hello.mydomain.com, use the following command.

Now the installer will install the certificate for all these domains. You can also specify your email using --email argument followed by your email address. Although you can specify the these arguments in command line but if you run the script without any arguments then you can provide all the required information interactively during installation.

If you want to obtain only the certificates from Let's encrypt, you can do so by running the following command instead of the above.

Now the script will only obtain the certificates, installer will not do any modifications in your Apache configuration files. You can manually install the certificates later on.

Automatic Renewal

Let's Encrypt CA issues the certificate for a very short period which is 90 days, so it is important that we renew the certificate once every three months. To renew the certificate run the following command.

This command will check for the certificates which are going to expire within 30 days, and it will automatically renew them. But we can simplify the process of automatic renewal using cron. Cron jobs are used for scheduling tasks in linux. Before using a cron job, we must move the installation script to some place safer than the current directory.

Move the installer script to /etc directory using the following command.

Now edit crontab file using the command -


Now open the crontab file in text editor, enter the following line at the end of the file.

Write the file once done. The above command will run the installer script to renew the certificate at 1 AM, every Monday. If the script finds any certificate which is to be renewed within 30 days, installer will automatically renew them. We have used --quiet argument so that installer will work in background and will not produce any error or warning.

HP_NO_IMG/data/uploads/users/1db92c87-dcef-4179-9435-27572e5eb57c/241326747.png' alt=' />

Install Certbot SSL on Ubuntu 16.04

In Ubuntu 16.04 Certbot package is prepacked. To install Certbot SSL from official repository of Ubuntu 16.04, you can simply run this command to install the dependencies.

Once you run this command, it will ask you to confirm installing packages, press y to proceed through the installation. It will now automatically install all the required packages.

Now run the following command to start the installation of Certbot or Let's Encrypt SSL.

This command will start the installation and it is same as we installed in ubuntu 14.04. We can also specify the arguments with the above command. For example --email or -d etc.

If you want to obtain only the certificates from Let's Encrypt, you can do so by running the following command instead of the above.

Now the script will only obtain the certificates, installer will not do any modifications to your configuration files. You manually install the certificates later.

Automatic Renewal

In Ubuntu 16.04 you can renew the certificate using the following command.

This command will simply check for all the certificates which are expiring in a month, and it automatically renews them. To automate this task using cron scheduler, you can edit the crontab file using the following command.

Now at the end of the file append this line.

Write the file once done. The above command will run the installer script every monday at 1 AM. If the script finds any certificate which is scheduled to be renewed, the script renews the certificates. --quiet argument enable the command to run the task in background without producing any error.


We have successfully installed SSL/TLS certificate provided by Let's Encrypt Certificate Authority on both Ubuntu 14.04 and Ubuntu 16.04. We also learned to automate the renewal process using Cron Jobs. Using SSL/TLS certificate we can secure our incoming and outgoing data.

Need Hosting? Try ours, it's fast, reliable and feature loaded with support you can depend on.

Because I struggled for several days and I found a solution quite simple I would like to share it with others.

Certbot Tomcat

I searched in forums a long time, I found some solutions but none was up to date or close to what I have done.

So First of all I assume that your Tomcat is already installed (Tested with Tomcat 6/7).

Certbot Tomcat Vs

Then first thing is to install certbot, I’m working on Ubuntu, so the following how to should works on any Debian based release:

Now keystore creation (exemple for tomcat 7):

sudo keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/share/tomcat/.keystore -keysize 2048

/! Important /!

The common name has to be your FQDN, for instance : www.myexample.com

once the private key created, make the CSR:

sudo keytool -certreq -alias tomcat -file request.csr -keystore /usr/share/tomcat/.keystore

Then we start the certificat creation process:

First of all be sure that your website name is well resolved but any process using port 443 has to be shut :

If your tomcat use explicitly port 443 :

If as me, you redirect request for port 443 to 8443 (default ssl port for Tomcat) you’ll have to flush your iptables first, otherwise when certbot will test your connection, it’s request will be redirected to port 8443 :

And then we launch the certficate build :

Now you should have a file named 0000_chain.pem we will add it to the keystore:

sudo keytool -import -trustcacerts -alias tomcat -file 0000_chain.pem -keystore /usr/share/tomcat7/.keystore

2 things left, first modify the tomcat server.xml (/etc/tomcat7/server.xml for me):

Apache Tomcat Certbot

Find “<!-- Define a SSL HTTP/1.1 Connector on port 8443” you should find after this comment a commented connector :

remove the comments ( before and after the connector) and make you connectore look like that:

Now restart services :

Certbot Tomcat Download

Everything should be OK now, I think I did not forgot anything, if you have any comment or suggest tell me I’ll update this little tuto.

Certbot Tomcat Reviews

Here a little bash script I did to automate this process (Also used in crontab to be called every 90 days) :