Using Let's Encrypt Certificate key

stop your service

$ sudo systemctl stop serviceName.service

install

    
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot

create a new keystore

	sudo /usr/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /home/ubuntu/keystore.p12 -keysize 2048

!! use the same password as the one you used before or you will have to go and change it in the tag inside the server.xml file you will be promoted by : What is your first and last name? [Unknown]: www.nokhuk.com What is the name of your organizational unit? [Unknown]: orgunit What is the name of your organization? [Unknown]: orgname What is the name of your City or Locality? [Unknown]: bangkok What is the name of your State or Province? [Unknown]: bangkok What is the two-letter country code for this unit? [Unknown]: TH Is CN=www.nokhuk.com, OU=org, O=orgname, L=bangkok, ST=bangkok, C=TH correct? !! I encountered lots of error massages since my first and last name was separated and was not maching the dns name provided for the certificate . the CN name here is been used as the dns name for the certificate and must be the same. we cant use an ip number since it will not be expectable by the CA . ! as you can see I deleted the last keystore and used it's ( the alias ) name , location and password as the one I deleted so we will not have any other changes in the server.xml file . generate a csr

	$ sudo /usr/bin/keytool -certreq -alias tomcat -file request.csr -keystore /home/ubuntu/keystore.p12

Request for certificate

	$ sudo certbot --csr request.csr

choose : How would you like to authenticate with the ACME CA? ------------------------------------------------------------------------------- 1: Spin up a temporary webserver (standalone) 2: Place files in webroot directory (webroot) ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1 Plugins selected: Authenticator standalone, Installer None enter an email : Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): admin@ndrzhr.com agree : ( like you have an option …) ------------------------------------------------------------------------------ Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A share … (Y)es/(N)o: Y and then … PEM file will be generated IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /home/ubuntu/0001_chain.pem Your cert will expire on 2018-10-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le add the pem file to the keystore

$ sudo /usr/bin/keytool -import -trustcacerts -alias tomcat -file 0001_chain.pem -keystore /home/ubuntu/keystore.p12

enter the password .. Certificate reply was installed in keystore

Automating renewal

The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:

$ sudo certbot renew --dry-run

start your service ..

	$ sudo systemctl start tomcat8.service