Using Let's Encrypt Certificate key
stop your service
$ sudo systemctl stop serviceName.service
install
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot
create a new keystore
sudo /usr/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /home/ubuntu/keystore.p12 -keysize 2048
!! use the same password as the one you used before or you will have to go and change it in the tag inside the server.xml file
you will be promoted by :
What is your first and last name?
[Unknown]: www.nokhuk.com
What is the name of your organizational unit?
[Unknown]: orgunit
What is the name of your organization?
[Unknown]: orgname
What is the name of your City or Locality?
[Unknown]: bangkok
What is the name of your State or Province?
[Unknown]: bangkok
What is the two-letter country code for this unit?
[Unknown]: TH
Is CN=www.nokhuk.com, OU=org, O=orgname, L=bangkok, ST=bangkok, C=TH correct?
!! I encountered lots of error massages since my first and last name was separated and was not maching the dns name provided for the certificate . the CN name here is been used as the dns name for the certificate and must be the same. we cant use an ip number since it will not be expectable by the CA .
! as you can see I deleted the last keystore and used it's ( the alias ) name , location and password as the one I deleted so we will not have any other changes in the server.xml file .
generate a csr
$ sudo /usr/bin/keytool -certreq -alias tomcat -file request.csr -keystore /home/ubuntu/keystore.p12
Request for certificate
$ sudo certbot --csr request.csr
choose :
How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
enter an email :
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): admin@ndrzhr.com
agree : ( like you have an option …)
------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
share …
(Y)es/(N)o: Y
and then …
PEM file will be generated
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/home/ubuntu/0001_chain.pem
Your cert will expire on 2018-10-06. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
add the pem file to the keystore
$ sudo /usr/bin/keytool -import -trustcacerts -alias tomcat -file 0001_chain.pem -keystore /home/ubuntu/keystore.p12
enter the password ..
Certificate reply was installed in keystore
Automating renewal
The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:
$ sudo certbot renew --dry-run
start your service ..
$ sudo systemctl start tomcat8.service