Centos + Tomcat 9 + Let's encrypt Free SSL Upgrade https (Problems encountered)

Upgrade environment: Tomcat works

centos6.5

Java1.8

Tomcat9

1. Get Let's Encrypt Free SSL Certificate

# Create a new ssl directory under the current directory
$ mkdir ssl
$ cd ssl

# Download letsencrypt from github 
$ git clone https://github.com/letsencrypt/letsencrypt

# Enter the letsencrypt directory
$ cd letsencrypt

# Get the certificate and select the standalone parameter, where you need to shut down the tomcat server (otherwise you may report an error)
# -d Your domain name, for example: -d baidu.com-d www.baidu.com
$ ./letsencrypt-auto certonly --standalone --email mailbox -d baidu.com -d www.baidu.com

If you see something like the following, you have successfully installed it.

You can see several files in your / etc/letsencrypt/live / domain name / directory

At this point, you are ready for the relevant certificates. The most common problem here is that when you download relevant certificates with standalone, your tomcat is not closed.

2. Adding ssl certificates

It's easy to add certificates here, because most of the online tutorials are for the old version of tomcat, so it's a little troublesome to configure. The way to configure Tomcat 9 is still easy.

# Modify the conf/server.xml file in the installation tomcat directory


    <Connector port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />

    <!--  The following part of the code is commented out in the original file. Cancel the comment. -->
    <Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" URIEncoding="UTF-8" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
                <Certificate             
                        certificateKeyFile="/etc/letsencrypt/live/Your domain name/privkey.pem"
                        certificateFile="/etc/letsencrypt/live/Your domain name/cert.pem"
                        certificateChainFile="/etc/letsencrypt/live/Your domain name/chain.pem"
                type="RSA" />
        </SSLHostConfig>
    </Connector>

The port number in this step is original. 8443 can keep the original port number. Note that your system opens its port.

The way to open the port is different between centos6 and centos7, which can be Baidu.

//Modify web.xml (web.xml and server.xml are in the same directory)
//Add the following code at the end
<security-constraint>
        <web-resource-collection >
            <web-resource-name >SSL</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>

        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
</security-constraint>

When installed at this point, if the tomcat server does not implement https normally, you can see the specific reasons in the logs/catalina.out file.

My display is that there is no apr/tomcat native library. So I'm going to jump to step three.

3. Install tomcat-native, apr, apr-util

#  Install apr

$ cd /usr/local/src
$ wget  https://mirrors.cnnic.cn/apache/apr/apr-1.6.3.tar.gz

$ tar -xzvf apr-1.6.3.tar.gz
$ cd apr-1.6.3/
$ ./configure --prefix=/usr/local/apr
$ make && make install


# Install apr-util

$ cd /usr/local/src
$ wget  https://mirrors.cnnic.cn/apache/apr/apr-util-1.6.1.tar.gz
$ tar -xzvf apr-util-1.6.1.tar.gz  
$ cd apr-util-1.6.1/
$ ./configure --prefix=/usr/local/apr-util  --with-apr=/usr/local/apr 
$ make && make install


# Add the following two sentences to the / etc/profile file
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/apr/lib
export LD_RUN_PATH=$LD_RUN_PATH:/usr/local/apr/lib

# Make Environmental Variables Effective Immediately
$ source /etc/profile

# Installation of tomcat-native tomcat-native defaults to the tomcat/bin directory, but I always find errors after compilation, so from the official website, a new one was downloaded. If the version of openssl is too low, it is recommended that the command be executed after upgrading.

$ cd /usr/local/src
$ wget https://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-connectors/native/1.2.17/source/tomcat-native-1.2.17-src.tar.gz  
$ tar -xzxf  tomcat-native-1.2.17-src.tar.gz
$ cd /tomcat-native-1.2.17-src/native
$ ./configure --with-apr=/usr/local/apr --with-ssl=yes
$ make && make install

# Next, restart tomcat

The link after wget may fail to replace the one that can be accessed normally.