Let's Encrypt + Apache + Tomcat for free HTTPS

Let's Encrypt + Apache + Tomcat for free HTTPS

Let's Encrypt is a free SSL Certificate release project. The issued certificate has been supported by mainstream browsers, including Google browser (desktop edition) and Firefox browser (desktop edition) UC browser (mobile edition), 360 browser (mobile edition) support, other are not tested yet;

This article explains how to use Let's Encrypt to obtain a free SSL Certificate, configure the SSL feature of apache, and forward requests to tomcat

The general idea is as follows:

1. Use Let's Encrypt to obtain the SSL Certificate

2. Enable the SSL feature of apache. The user requests to apache first, using http or https.

3. apache forwards requests to tomcat and uses http or ajp protocol.

The reasons for doing so are as follows:

1. My website is written in java and requires a servlet container similar to tomcat

2. Although tomcat also supports ssl, Let's Encrypt supports apache native, so it is easier to configure ssl on apache.

3. apache is better at processing static resources than tomcat.

4. You can configure multiple tomcat servers to achieve load balancing. You can restart tomcat without terminating the service.

1. Install Let's Encrypt

Let's Encrypt's project home page is a https://github.com/certbot/certbot, which can be downloaded using git or directly on the home page.

Go to the folder and run the following command. Then Let's Encrypt will install some software.

./letsencrypt-auto --help

Ii. install apache

Install apache commands in CentOS7

yum install httpd

Install the ssl module of apache in centos7

yum install mod_ssl

Install apache in Ubuntu

sudo apt-get install apache2

3. install tomcat

Download a tomcat package from the official website and unzip it. Of course, you must install jre first.

4. Configure apache

The version I installed is 2.4.6. The configuration of this version is different from that of other versions.

In centos7, the path of the apache configuration file is/etc/httpd/conf/httpd. conf, and that of the ssl module is/etc/httpd/conf. d/ssl. conf.

In ubuntu, the path to the apache configuration file is/etc/apache2/apache2.conf.

Modify the httpd. conf file

Add the following code to automatically redirect http requests to https

RewriteEngine onRewriteCond %{SERVER_PORT} 80RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

Modify the ssl. conf file

Delete Listen 443 https, otherwise it will conflict with the following Virtual Host Configuration

Remove the # ServerName www.example.com: 443 in the <VirtualHost *: 443> label and change the domain name to your own domain name. The certificate generated by Let's Encrypt is bound to this domain name, after I try to change the ip address, Let's Encrypt does not support

Add the following code to the <VirtualHost *: 443> label to forward all requests to the tomcat server. The ajp protocol is used here. If you want to use http protocol, change ajp to http and 8009 to 8080

ProxyVia OnProxyRequests OffProxyPass / ajp://127.0.0.1:8009/ProxyPassReverse / ajp://127.0.0.1:8009/<Proxy *> Require all granted</Proxy><Location /> Require all granted</Location>

After the configuration file is changed, run the httpd-t command to check whether the configuration file is correct. If there is no error, use service httpd start to start the service.

An error occurred while starting the service: AH00558: httpd: cocould not reliably determine the server's fully qualified domain name. remove # ServerName localhost: 80 # In conf. Change localhost to the actual ip address.

5. Generate a certificate

Let's Encrypt supports three authentication methods

-- Apache Use the Apache plugin for authentication & installation

-- Standalone Run a standalone webserver for authentication

-- Webroot Place files in a server's webroot folder for authentication

The apache authentication method is used here. The command is as follows,

./letsencrypt-auto --apache --apache-le-vhost-ext /etc/httpd/conf.d/ssl.conf --register-unsafely-without-email 

-- The apache-le-vhost-ext parameter specifies the configuration file of the virtual host. The -- register-unsafely-without-email parameter ignores the mailbox. If this parameter is not set, let's Encrypt will ask you to enter the email address. I entered the foxmail email address, but the prompt is invalid. I don't know why

After the certificate is generated, it will be stored in the/etc/letsencrypt/live/www.example.com/directory. let's Encrypt will automatically modify the ssl. conf file and associate the certificate

6. run apache and tomcat

Run tomcat and output logs

cd /etc/tomcatsh bin/startup.sh;tail -f logs/catalina.out

Run apache

service httpd start

VII. Others

In general, the configuration process is very simple, but it is very difficult for people who have not done so. For example, I spent more than a week studying this. There are always some differences between the information on the Internet and my computer, the file path is incorrect, and some configuration items are useless. I did it on my ubuntu first. After a few days, I had to give up the treatment and directly run it on centos on the server. The result was a day!

This article permanently updates the link address: