Let's Encrypt Tomcat

Posted onby admin

Let’s Encrypt is primarily intended to work on Linux computers with Apache Web server. Here we describe (mostly manual) procedure to install Let’s Encrypt certificate for quite different environment – Tomcat server on Windows OS

We use external Linux system to run LetsEncrypt and synchronize our steps between Linux and target Windows computers

The procedure starts with proof of URL ownership. This means a LetsEncrypt generated file should be made available on a predefined URL. The file has random name and content. Provided we are requesting a certificate for example.com server, the verification location might be

Start tomcat with JPDASUSPEND=y, attach with jdb, then: use stop at org.apache.tomcat.util.net.jsse.JSSESocketFactory:588, run, print keyPass, print keystorePass – csutherl Apr 29 '16 at 17:11 If those passwords are correct and do actually gain access to the keystore/key, then I think you might be hitting a bug lower than tomcat in sun. Let’s Encrypt certificates for Tomcat on Windows computer Let’s Encrypt is primarily intended to work on Linux computers with Apache Web server. Here we describe (mostly manual) procedure to install Let’s Encrypt certificate for quite different environment – Tomcat server on Windows OS.

1. Optional step: use Mongoose for URL ownership verification

In some cases Tomcat config file may require substantial corrections for this URL verification. To avoid config changes we recommend to switch temporarily to free lightweight Mongoose web server, which works on Windows computer right out of the box.

  • stop Tomcat server
  • start Mongoose


2. On your Linux server run

./letsencrypt-auto certonly -d example.com –manual

watch the program output:

mkdir -p /tmp/certbot/public_html/.well-known/acme-challenge
cd /tmp/certbot/public_html
printf '%s' T67ar0vjJag02FWElYXyD5M3lU30CLrTwSxTNsky4j.ZQTu8ee1J5mjiEhRMuIoNS7k2rXbtzhxPpkuC2m1h4 > .well-known/acme-challenge/T67ar0vjJag02FWElYXyD5M3lU30CLrTwSxTNsky4j
# run only once per server:
$(command -v python2 command -v python2.7 command -v python2.6) -c
'import BaseHTTPServer, SimpleHTTPServer;
s = BaseHTTPServer.HTTPServer((', 80), SimpleHTTPServer.SimpleHTTPRequestHandler);
Press ENTER to continue

NOTE: particular filename and content will be different. Random strings used here are illustrative only.

At this point use “printf” line of the program output and create a file in Mongoose document_root directory (see mongoose.conf: C:UsersYourHomeDirmongoose_www) named

with content

(Presumably the file already exists in /tmp/certbot/public_html/.well-known/acme-challenge catalog for a while)

and Press continue – congratulations


new cert, private key are in /etc/letsencrypt/live/example.com

3.Create PFX file:

4. Copy PFX to Windows computer

Let's Encrypt Tomcat Data

5. Stop Mongoose

If used

6. Create new keystore (delete an old one if exists)

For illustrative purposes here and below we use 20-chars keystore password UD84zraG6YNUbeRV9MKw

Type PFX file password when asked for “source keystore password”

c:ExampleAppDir>keytool -importkeystore -srckeystore example.com.pfx -srcstoretype pkcs12 -destkeystore example.com.jks -deststoretype JKS
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias tomcat successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled

7. Change keypass

Let's Encrypt Tomcat Password

(use PFX file password for “key password for “)

c:ExampleAppDir>keytool -keypasswd -alias tomcat -new UD84zraG6YNUbeRV9MKw -keystore example.com.jks
Enter keystore password:
Enter key password for <tomcat>

8. Start Tomcat

If HTTPS service does not work, stop Tomcat and see errors in the latest error log file, e.g

9. How to renew the certificate in three months

On the same Linux computer run

./letsencrypt-auto renew --webroot -w ~/temp/.well-known

When finished, letsencrypt informs on success:

Letsencrypt Tomcat 8 Ubuntu

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (success)

You will find new privkeyX.pem and fullchainX.pem files in /etc/letsencrypt/archive/example.com directory Directory /etc/letsencrypt/live/example.com holds links to the most recent PEM-files in archive directory. Go to paragraph 3. Create PFX file to continue with new credential

server.xml fragment

Using HTTPS on Tomcat with a let’s encrypt certificate is quite easy – as soon as you know how to do it (as usual). acme.sh provides a quite convenient way of getting and renewing certificates. This is extremely important as the certificates have a lifetime of just 60 days.

So get and “install” acme.sh first! And make sure Tomcat is running on port 80. Then start getting your certificate:

You should now have brand new certificates on your machine. Now setup the keystore for Tomcat.

Let's Encrypt Tomcat Email

The keystore should be ready now. Now let us tell Tomcat to use this keystore for HTTPS. Edit /etc/tomcat7/server.xml and apply the following changes to the Connector for 8443:

Lets Encrypt Zertifikat Tomcat

You should be done now. Now just restart Tomcat and test the certificate in the browser. If all is fine, don’t forget to schedule a cron job to refresh the certificate and execute the steps above of removing and adding the certificate to the keystore.