Let's Encrypt + Apache + Tomcat for free HTTPS
Let's Encrypt is a free SSL Certificate release project. The issued certificate has been supported by mainstream browsers, including Google browser (desktop edition) and Firefox browser (desktop edition) UC browser (mobile edition), 360 browser (mobile edition) support, other are not tested yet;
This article explains how to use Let's Encrypt to obtain a free SSL Certificate, configure the SSL feature of apache, and forward requests to tomcat
The general idea is as follows:
1. Use Let's Encrypt to obtain the SSL Certificate
2. Enable the SSL feature of apache. The user requests to apache first, using http or https.
3. apache forwards requests to tomcat and uses http or ajp protocol.
The reasons for doing so are as follows:
1. My website is written in java and requires a servlet container similar to tomcat
2. Although tomcat also supports ssl, Let's Encrypt supports apache native, so it is easier to configure ssl on apache.
3. apache is better at processing static resources than tomcat.
4. You can configure multiple tomcat servers to achieve load balancing. You can restart tomcat without terminating the service.
1. Install Let's Encrypt
Let's Encrypt's project home page is a https://github.com/certbot/certbot, which can be downloaded using git or directly on the home page.
Go to the folder and run the following command. Then Let's Encrypt will install some software.
./letsencrypt-auto --help
Ii. install apache
Install apache commands in CentOS7
yum install httpd
Install the ssl module of apache in centos7
yum install mod_ssl
Install apache in Ubuntu
sudo apt-get install apache2
3. install tomcat
Download a tomcat package from the official website and unzip it. Of course, you must install jre first.
4. Configure apache
The version I installed is 2.4.6. The configuration of this version is different from that of other versions.
In centos7, the path of the apache configuration file is/etc/httpd/conf/httpd. conf, and that of the ssl module is/etc/httpd/conf. d/ssl. conf.
In ubuntu, the path to the apache configuration file is/etc/apache2/apache2.conf.
Modify the httpd. conf file
Add the following code to automatically redirect http requests to https
RewriteEngine onRewriteCond %{SERVER_PORT} 80RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
Modify the ssl. conf file
Delete Listen 443 https, otherwise it will conflict with the following Virtual Host Configuration
Remove the # ServerName www.example.com: 443 in the <VirtualHost *: 443> label and change the domain name to your own domain name. The certificate generated by Let's Encrypt is bound to this domain name, after I try to change the ip address, Let's Encrypt does not support
Add the following code to the <VirtualHost *: 443> label to forward all requests to the tomcat server. The ajp protocol is used here. If you want to use http protocol, change ajp to http and 8009 to 8080
ProxyVia OnProxyRequests OffProxyPass / ajp://127.0.0.1:8009/ProxyPassReverse / ajp://127.0.0.1:8009/<Proxy *> Require all granted</Proxy><Location /> Require all granted</Location>
After the configuration file is changed, run the httpd-t command to check whether the configuration file is correct. If there is no error, use service httpd start to start the service.
An error occurred while starting the service: AH00558: httpd: cocould not reliably determine the server's fully qualified domain name. remove # ServerName localhost: 80 # In conf. Change localhost to the actual ip address.
5. Generate a certificate
Let's Encrypt supports three authentication methods
-- Apache Use the Apache plugin for authentication & installation
-- Standalone Run a standalone webserver for authentication
-- Webroot Place files in a server's webroot folder for authentication
The apache authentication method is used here. The command is as follows,
./letsencrypt-auto --apache --apache-le-vhost-ext /etc/httpd/conf.d/ssl.conf --register-unsafely-without-email
-- The apache-le-vhost-ext parameter specifies the configuration file of the virtual host. The -- register-unsafely-without-email parameter ignores the mailbox. If this parameter is not set, let's Encrypt will ask you to enter the email address. I entered the foxmail email address, but the prompt is invalid. I don't know why
After the certificate is generated, it will be stored in the/etc/letsencrypt/live/www.example.com/directory. let's Encrypt will automatically modify the ssl. conf file and associate the certificate
6. run apache and tomcat
Run tomcat and output logs
cd /etc/tomcatsh bin/startup.sh;tail -f logs/catalina.out
Run apache
service httpd start
VII. Others
In general, the configuration process is very simple, but it is very difficult for people who have not done so. For example, I spent more than a week studying this. There are always some differences between the information on the Internet and my computer, the file path is incorrect, and some configuration items are useless. I did it on my ubuntu first. After a few days, I had to give up the treatment and directly run it on centos on the server. The result was a day!
This article permanently updates the link address: