Let's encrypt+apache+tomcat for free HTTPS

Let ' s encrypt is a free SSL certificate distribution project, the issuance of certificates have been supported by the mainstream browser, pro-test Google browser (desktop version), Firefox (desktop version), UC Browser (mobile version), 360 browser (mobile version) support, the other temporarily not tested;

This article explains how to use let's encrypt to get a free SSL certificate, configure the Apache SSL feature, and forward the request to Tomcat

The general idea is as follows:

1. Obtain an SSL certificate using Let's encrypt

2. Enable Apache SSL function, user request first to Apache, using HTTP protocol or HTTPS protocol

3.apache forwards the request to Tomcat, using the HTTP protocol or the AJP protocol

This is done for the following reasons:

1. My site is written in Java and requires a servlet container similar to Tomcat

2. Although Tomcat also supports SSL, let's encrypt native support Apache, so it's easier to configure SSL on Apache

3.apache ability to handle static resources better than Tomcat

4. Multiple Tomcat can be configured for load balancing, and you can restart Tomcat without terminating the service

First, install let ' s Encrypt

Let's encrypt's Project home page is Https://github.com/certbot/certbot, can be downloaded using git, or you can download the zip archive directly to the homepage

Go to the folder, execute the following command, then let's encrypt install some software

./letsencrypt-auto--help

Second, install Apache

command to install Apache in CENTOS7

Yum Install httpd

Installing the Apache SSL module in CENTOS7

Yum Install Mod_ssl

Installing Apache in Ubuntu

sudo Install apache2

Third, install Tomcat

Download a tomcat to the official website, unzip it, and, of course, install the JRE first.

Iv. Configuring Apache

I installed the version is 2.4.6, this version of the configuration and other versions are not quite the same

The path to the Apache configuration file in Centos7 is/etc/httpd/conf/httpd.conf, and the path to the SSL module's configuration file is/etc/httpd/conf.d/ssl.conf

The path to the Apache configuration file in Ubuntu is/etc/apache2/apache2.conf

Modify the httpd.conf file

Add the following code to automatically jump the HTTP protocol request to the HTTPS protocol

^ (. *) $ https://%{server_name}%{request_uri} [r=301,l] 

Modify the Ssl.conf file

Delete Listen 443 HTTPS, or it will conflict with the virtual host configuration behind it.

Will <virtualhost *:443> label #servername www.example.com:443 Front of the # removed, the domain name changed to its own domain name, let's encrypt generated certificate is bound to the domain name, I tried to change to IP after , let's encrypt does not support

Add the following code to the <virtualhost *:443> tag, which is the ability to forward all requests to the Tomcat server, where the AJP protocol is used, and if you want to use the HTTP protocol, change AJP to http,8009 to 8080

/AJP:////127.0.0.1:8009/PROXYPASSREVERSE/AJP://127.0.0.1:8009/<proxy *> Require all granted</proxy><location/> Require all granted</Location>

After the configuration file has been changed, use the HTTPD-T command to check the configuration file for errors, without errors, you can use the service httpd start services

There was an error when starting the service: AH00558:httpd:Could not reliably determine the server ' s fully qualified domain name, will httpd.conf in #servern Ame localhost:80 # removed, localhost changed to the actual IP is good

v. Generate Certificates

Let's encrypt supports 3 different authentication methods

--apache use of the Apache plugin for authentication & installation

--standalone Run A standalone webserver for authentication

--webroot place files in a server ' s Webroot folder for authentication

The Apache authentication method is used here, the command is as follows,

The--apache-le-vhost-ext parameter specifies the configuration file for the configuration of the virtual host, and the--register-unsafely-without-email parameter is to ignore the mailbox, if not, let's encrypt will ask for a mailbox. I entered Foxmail mailbox, but the hint is invalid, do not know why

After the certificate is generated, it is placed in the/etc/letsencrypt/live/www.example.com/directory, and let's encrypt automatically modifies the ssl.conf file, associating the certificate

Vi. running Apache, tomcat

Run Tomcat and output the log

cd/etc/Tomcatsh bin/startup. SH; tail -F logs/catalina.out

Run Apache

Service httpd Start

Vii. Other

The overall configuration process is simple, but it is difficult for people who have not done it. For example, I spent more than a week to study this, the information on the Internet and my computer is always a bit different, the file path is not ah, some configuration items do not ah or anything. I first in my own Ubuntu, get a few days also do not, had to give up treatment, directly on the server on the CentOS, the result of a day is ready, hehe!

My website is small cloud Studio (Www.xiaoyun.studio), I was to this website to get HTTPS

Here are some reference sites:

Use let's Encrypt to issue a free SSL certificate

CentOS7 Apache and Tomcat turn on SSL

Configuring Apache and Tomcat connections under Linux

Experience summary of Linux configuration Apache2

Let's encrypt+apache+tomcat for free HTTPS