Installing an SSL Certificate on Tomcat

If you have Tomcat installed on your Mac or Linux computer, like I have shown here and here, you may sooner or later want to serve content not only through HTTP, but also securely through HTTPS. Instead of going the self-signed certificate route, where the certificate is signed with its own private key, I’m describing how to acquire an SSL certificate that is signed by a certificate authority (CA) and how to configure Tomcat to use it. While not free, I gladly pay sslmate the $16, for the convenience of getting a certificate that works everywhere.

Prerequisites

Here are the things you should already have in place.

  • A host and a domain name (for this example I’m going to use “alpha” and “techcasita.com”).
  • Access to an email account associated with that domain (for instance admin@techcasita.com. I currently prefer Google as my registrar, which allows you to forward email to any address of your choosing.
  • A user account at sslmate
  • Tomcat already installed on your Mac or Linux computer

Installing sslmate

Depending on your OS, you can find detailed instructions on how to install sslmate. For Ubuntu 18.04 for instance, it’s as easy as this:

If this is the 1st time you are doing this, you continue with buying an certificate on your command line, like so

otherwise, it’s a renewal process, which works very similarly:

After a verification email containing a “validation code” is sent to admin@techcasita.com, ssmate will download and store the certificates in /etc/sslmate as follows:

  • Private key: alpha.techcasita.com.key
  • Bare certificate: alpha.techcasita.com.crt
  • Certificate chain: alpha.techcasita.com.chain.crt
  • Certificate with chain: alpha.techcasita.com.chained.crt

Creating a Java Key Store

You may want to think about a strong password and for simplicity, use it throughout this process.

For instance:

Tomcat Configuration

Next step is to and configure the “SSL HTTP/1.1 Connector” entry for the default HTTPS port, 443:

Optionally, you could consider adding the following attributes into the Connector tag as well:

  • minSpareThreads=”25″
  • maxSpareThreads=”75″
  • enableLookups=”false”
  • disableUploadTimeout=”true”
  • acceptCount=”100″

That’s pretty much it. However, re-starting the Tomcat server may not have the desired effect, if you don’t run tomcat as root. By using the default HTTPS port 443 instead of 8443 for instance, a so called privileged port is used. Port numbers below 1024 are not allowed to run servers on and the following error shows up in the Tomcat log file:

Long Startup Time
org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler [“http-nio-443”] java.net.SocketException: Permission denied

However, once you have figured out what the actual java binary file is, setcap (a Linux command to set file capabilities) can be used, to allow a non-root process to listen on a privileged port..

Now it’s time to restart Tomcat …

Final Result

Final Check

To be sure that all is good, use one of the SSL Checkers, to verify the configuration. Here for instance I have used SSLShopper, which spotted one of my misconfiguration before:

 

2 Replies to “Installing an SSL Certificate on Tomcat”

  1. Hello,
    I use

    setcap cap_net_bind_service+ep /usr/lib/jvm/java-8-oracle/jre/bin/java

    But now, when I try to restart tomcat the console has the following output

    error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory

  2. Run this command:
    # echo “/path/to/jdk/lib/amd64/jli” > /etc/ld.so.conf.d/java-libjli.conf

Leave a Reply