Using Let's Encrypt Certificate key

install python ..

$ sudo apt-get upgrade

install certbot-auto :

$ sudo wget

change the permissions :

$ sudo chmod a+x ./certbot-auto

bootstraping …

$ sudo ./certbot-auto

Failed to find executable apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot-auto certonly" to do so. You'll need to manually configure your web server to use the resulting certificate. create a new keystore

sudo /usr/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /home/ubuntu/keystore.p12 -keysize 2048

you will be promoted by :

What is your first and last name?
What is the name of your organizational unit?
[Unknown]: orgunit
What is the name of your organization?
[Unknown]: orgname
What is the name of your City or Locality?
[Unknown]: bangkok
What is the name of your State or Province?
[Unknown]: bangkok
What is the two-letter country code for this unit?
[Unknown]: TH
Is, OU=org, O=orgname, L=bangkok, ST=bangkok, C=TH correct?

!! I encountered lots of error massages since my first and last name was separated and was not maching the dns name provided for the certificate . the CN name here is been used as the dns name for the certificate and must be the same. we cant use an ip number since it will not be expectable by the CA . ! as you can see I deleted the last keystore and used it's ( the alias ) name , location and password as the one I deleted so we will not have any other changes in the server.xml file . generate a csr

$ sudo /usr/bin/keytool -certreq -alias tomcat -file request.csr -keystore /home/ubuntu/keystore.p12

Request for certificate

$ sudo ./certbot-auto certonly --csr request.csr --no-bootstrap

choose :

How would you like to authenticate with the ACME CA?
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
enter an email :
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):
agree : ( like you have an option …) ------------------------------------------------------------------------------
Please read the Terms of Service at You must agree in order to register with the ACME server at ------------------------------------------------------------------------------- (A)gree/(C)ancel: A
share … (Y)es/(N)o: Y

PEM file will be generated

- Congratulations! Your certificate and chain have been saved at:
Your cert will expire on 2018-10-06. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt:
Donating to EFF:

add the pem file to the keystore

$ sudo /usr/bin/keytool -import -trustcacerts -alias tomcat -file 0001_chain.pem -keystore /home/ubuntu/keystore.p12

enter the password .. Certificate reply was installed in keystore. Thats it. enjoy..