Let ' s encrypt is a free SSL certificate distribution project, the issuance of certificates have been supported by the mainstream browser, pro-test Google browser (desktop version), Firefox (desktop version), UC Browser (mobile version), 360 browser (mobile version) support, the other temporarily not tested;
This article explains how to use let's encrypt to get a free SSL certificate, configure the Apache SSL feature, and forward the request to Tomcat
The general idea is as follows:
1. Obtain an SSL certificate using Let's encrypt
2. Enable Apache SSL function, user request first to Apache, using HTTP protocol or HTTPS protocol
3.apache forwards the request to Tomcat, using the HTTP protocol or the AJP protocol
This is done for the following reasons:
1. My site is written in Java and requires a servlet container similar to Tomcat
2. Although Tomcat also supports SSL, let's encrypt native support Apache, so it's easier to configure SSL on Apache
3.apache ability to handle static resources better than Tomcat
4. Multiple Tomcat can be configured for load balancing, and you can restart Tomcat without terminating the service
First, install let ' s Encrypt
Let's encrypt's Project home page is Https://github.com/certbot/certbot, can be downloaded using git, or you can download the zip archive directly to the homepage
Go to the folder, execute the following command, then let's encrypt install some software
./letsencrypt-auto--help
Second, install Apache
command to install Apache in CENTOS7
Yum Install httpd
Installing the Apache SSL module in CENTOS7
Yum Install Mod_ssl
Installing Apache in Ubuntu
sudo Install apache2
Third, install Tomcat
Download a tomcat to the official website, unzip it, and, of course, install the JRE first.
Iv. Configuring Apache
I installed the version is 2.4.6, this version of the configuration and other versions are not quite the same
The path to the Apache configuration file in Centos7 is/etc/httpd/conf/httpd.conf, and the path to the SSL module's configuration file is/etc/httpd/conf.d/ssl.conf
The path to the Apache configuration file in Ubuntu is/etc/apache2/apache2.conf
Modify the httpd.conf file
Add the following code to automatically jump the HTTP protocol request to the HTTPS protocol
^ (. *) $ https://%{server_name}%{request_uri} [r=301,l]
Modify the Ssl.conf file
Delete Listen 443 HTTPS, or it will conflict with the virtual host configuration behind it.
Will <virtualhost *:443> label #servername www.example.com:443 Front of the # removed, the domain name changed to its own domain name, let's encrypt generated certificate is bound to the domain name, I tried to change to IP after , let's encrypt does not support
Add the following code to the <virtualhost *:443> tag, which is the ability to forward all requests to the Tomcat server, where the AJP protocol is used, and if you want to use the HTTP protocol, change AJP to http,8009 to 8080
/AJP:////127.0.0.1:8009/PROXYPASSREVERSE/AJP://127.0.0.1:8009/<proxy *> Require all granted</proxy><location/> Require all granted</Location>
After the configuration file has been changed, use the HTTPD-T command to check the configuration file for errors, without errors, you can use the service httpd start services
There was an error when starting the service: AH00558:httpd:Could not reliably determine the server ' s fully qualified domain name, will httpd.conf in #servern Ame localhost:80 # removed, localhost changed to the actual IP is good
v. Generate Certificates
Let's encrypt supports 3 different authentication methods
--apache use of the Apache plugin for authentication & installation
--standalone Run A standalone webserver for authentication
--webroot place files in a server ' s Webroot folder for authentication
The Apache authentication method is used here, the command is as follows,
The--apache-le-vhost-ext parameter specifies the configuration file for the configuration of the virtual host, and the--register-unsafely-without-email parameter is to ignore the mailbox, if not, let's encrypt will ask for a mailbox. I entered Foxmail mailbox, but the hint is invalid, do not know why
After the certificate is generated, it is placed in the/etc/letsencrypt/live/www.example.com/directory, and let's encrypt automatically modifies the ssl.conf file, associating the certificate
Vi. running Apache, tomcat
Run Tomcat and output the log
cd/etc/Tomcatsh bin/startup. SH; tail -F logs/catalina.out
Run Apache
Service httpd Start
Vii. Other
The overall configuration process is simple, but it is difficult for people who have not done it. For example, I spent more than a week to study this, the information on the Internet and my computer is always a bit different, the file path is not ah, some configuration items do not ah or anything. I first in my own Ubuntu, get a few days also do not, had to give up treatment, directly on the server on the CentOS, the result of a day is ready, hehe!
My website is small cloud Studio (Www.xiaoyun.studio), I was to this website to get HTTPS
Here are some reference sites:
Use let's Encrypt to issue a free SSL certificate
CentOS7 Apache and Tomcat turn on SSL
Configuring Apache and Tomcat connections under Linux
Experience summary of Linux configuration Apache2
Let's encrypt+apache+tomcat for free HTTPS