given:
VPS
on ubuntu
, on it Apache
(for the front) and Tomcat
(for API). There is a domain, everything works for http
.
Task:
Configure HTTPS
Access.
Problem:
Do not want to pay for the certificate.
Question:
How to get a free certificate and configure everything?
Answer 1, Authority 100%
- you have to
root
access to the server viassh
. -
Set the program certbot . She is open source and allows you to automatically generate, install and update
SSL
Certificate forApache
(instructions from the program site, for Apache and Ubuntu 18.04 , there There are for other programs and OS):
sudo apt-get update Sudo Apt-Get Install Software-Properties-Common Sudo Add-APT-Repository Universe Sudo Add-APT-Repository PPA: CERTBOT / CERTBOT Sudo Apt-Get Update Sudo Apt-Get Install Certbot Python-Certbot-Apache
-
Run for
Apache
sudo certbot --APACHE
A program will start, which in a few steps will configure everything, generating the certificate files and speaking it in the
Apache
configuration. At the end, it will tell where the generated certificate files are entered. The program will also add a task toCRON
to check the deadline for the expiration of the certificate (90 days) and its automatic extension (new files will be generated and updated configuration (probably)) -
For
Tomcat
more complicated. I did not find an instruction on automatic configuration, we will do it manually.Ubuntu 18 instructions:
- Copy the private key files, the certificate itself and chain (
Privkey
,CERT
,Chain
) (all extension –PEM
) to the home folder of the user who twiststomcat
by issuing the right to this files to these files. -
We register in the
configuration>Tomcat
(server.xml
) paths to files like this:& lt; connector port = "8443" protocol = "org.apache.coyote.http11.http11aprprotocol" MaxThreads = "150" sslenabled = "true" & gt; & lt; upgradeprotocol classname = "org.apache.coyote.http2.http2protocol" / & gt; & lt; sslhostconfig & gt; & lt; Certificate CertificateKeyFile = "$ {user.home} /privkey.pem" CertificateFile = "$ {user.home} /cert.pem" CertificateChainFile = "$ {user.home} /chain.pem" Type = "RSA" / & gt; & lt; / sslhostconfig & gt; & lt; / connector & gt;
-
Restart
Tomcat
.
instructions for Debian 8:
- Copy the private key files, the certificate itself and chain (
Privkey
,CERT
,Chain
) (all extension –PEM
) to the home folder of the user who twiststomcat
by issuing the right to this files to these files. -
Create
PFX
File. It is needed, because According to the unknown reason, Tomcat does not want to receive PEM files in this case, because of some native Libe, which I could not set up, because Instructions, as always, for the pro, ordinary person will not figure out.openssl pkcs12 -Export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -Password Pass: Password
-
In the
Tomcat
(server.xml
) configuration, write the paths to the files like this:& lt; Connector protocol = "org.apache.coyote.http11.Http11NioProtocol" port = "8443" maxThreads = "200" scheme = "https" secure = "true" SSLEnabled = "true" keystoreFile = "$ {user.home} /bundle.pfx" keystorePass = "password" clientAuth = "false" sslProtocol = "TLS" keystoreType = "PKCS12" / & gt;
- Copy the private key files, the certificate itself and chain (
Information taken from from here