How to install Let's Encrypt in Semarchy AWS Marketplace QuickStart VM? : Portal

Author: Derek Leung

Product version: 2024.X

Need

Customer wants to enable HTTPS on AWS Marketplace QuickStart VM with a free certificate from Let's encrypt.

Summarized Solution

Install certbot
Install Let's encrypt certificate with Tomcat9
Restart Tomcat9
Refresh certificate manually after 90 days

Reference : How to install Let’s Encrypt with Tomcat

Detailed Solution

1. Create a Hosted Zone in AWS Route 53.

2. Install certbot

$ sudo su 
# apt-get install software-properties-common 
# add-apt-repository ppa:certbot/certbot 
# apt-get update 
# apt-get install certbot

3. Create the SSL certificate for ssltest.servers.semarchy.com

root@ip-XX-XX-XX-XX:/home/ubuntu# certbot certonly --standalone -d ssltest.servers.semarchy.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): derek.leung@semarchy.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Yes

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: No
Account registered.
Requesting a certificate for ssltest.servers.semarchy.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/ssltest.servers.semarchy.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/ssltest.servers.semarchy.com/privkey.pem
This certificate expires on 2024-12-25.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4. SSL certificates are generated here

root@ip-XX-XX-XX-XX:/home/ubuntu# cd /etc/letsencrypt/live
root@ip-XX-XX-XX-XX:/etc/letsencrypt/live# ls
README  ssltest.servers.semarchy.com
root@ip-XX-XX-XX-XX:/etc/letsencrypt/live# cd ssltest.servers.semarchy.com/
root@ip-XX-XX-XX-XX:/etc/letsencrypt/live/ssltest.servers.semarchy.com# ls
README  cert.pem  chain.pem  fullchain.pem  privkey.pem

5. Copy the SSL certificates to Tomcat9/conf

root@ip-XX-XX-XX-XX:/etc/letsencrypt/live/ssltest.servers.semarchy.com# cp cert.pem /var/lib/tomcat9/conf
root@ip-XX-XX-XX-XX:/etc/letsencrypt/live/ssltest.servers.semarchy.com# cp chain.pem /var/lib/tomcat9/conf
root@ip-XX-XX-XX-XX:/etc/letsencrypt/live/ssltest.servers.semarchy.com# cp privkey.pem /var/lib/tomcat9/conf

6. Set the permissions to tomcat:tomcat for the .PEM files

root@ip-XX-XX-XX-XX:/var/lib/tomcat9/conf# chown tomcat:tomcat *.pem
root@ip-XX-XX-XX-XX:/var/lib/tomcat9/conf# ls -la
total 236
drwxr-xr-x   4 root   root     4096 Sep 26 09:15 .
drwxr-xr-x 106 root   root     4096 Sep 26 09:05 ..
drwxrwxr-x   3 root   tomcat   4096 Apr  4 08:39 Catalina
-rw-r-----   1 root   tomcat   7735 Apr  4 08:39 catalina.properties
-rw-r--r--   1 tomcat tomcat   1801 Sep 26 09:14 cert.pem
-rw-r--r--   1 tomcat tomcat   1801 Sep 26 09:14 chain.pem
-rw-r-----   1 root   tomcat   1400 Jan 15  2022 context.xml
-rw-r-----   1 root   tomcat   1149 Jan 15  2022 jaspic-providers.xml
-rw-r-----   1 root   tomcat   3852 Apr  4 08:39 log4j2.semarchy.xml
-rw-r-----   1 root   tomcat   2799 Jul 19  2022 logging.properties
drwxr-xr-x   2 root   tomcat   4096 Apr  4 08:39 policy.d
-rw-------   1 tomcat tomcat   1704 Sep 26 09:15 privkey.pem
-rw-r-----   1 root   tomcat   8096 Sep 24 14:42 server.xml
-rw-r-----   1 root   tomcat   1167 Sep 24 14:35 tomcat-users.xml
-rw-r-----   1 root   tomcat 173697 Apr  4 08:39 web.xml

chmod 644 *.pem

7. Add the Connector Tag into the server.xml, comment out other Connector sections with port=443

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateFile="conf/cert.pem"
certificateKeyFile="conf/privkey.pem"
certificateChainFile="conf/chain.pem" />
</SSLHostConfig>
</Connector>

8. Restart Tomcat

sudo service tomcat9 stop
sudo service tomcat9 start

9. Configure Network Security Group to allow inbound connection with port 443

10. Access the server with HTTPS

11. Examine the certificate

12. SSL certificate provided by Let's encrypt expire after 90 days, please manually refresh it using Step 3 to Step 5.

How to install Let's Encrypt in Semarchy AWS Marketplace QuickStart VM? Print

Need

Related Articles