David Cornelius's picture

I have been trying to get the Standalone Tomcat v16.1 to work with a certificate. Following instructions from this post Confconsole - Let's Encrypt | TurnKey GNU/Linux (turnkeylinux.org). I can generate the certificates and they are going into the /etc/ssl/private ok. I get the Python port 80 but stop add-water.

When I go to test.bakery.co.uk it says Not secure.

How do I get Tomcat to use the cert using the method.

I know the certificate is good as if I put the three files in the Tomcat /etc/tomcat9 and change the server.xml with 

   <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
            <Certificate certificateFile="conf/cert.pem"
                         certificateChainFile="conf/chain.pem" />

This works. 

I would like to get the other auto method working so that I don't have to do this every 3 months.

Any ideas.



Jeremy Davis's picture

Hi David, thanks so much for posting!

Following some investigative testing of the Tomcat appliance, I can confirm that it doesn't appear to be working as intended.

I've opened a new issue on our issue tracker to ensure that it doesn't get forgotten. As noted there, the immediate workaround (on a default TurnKey standalone Tomcat server) is incredibly simple, just rerun the Tomcat SSL cert update firstboot script (after getting the new Let's Encrypt cert) and restart Tomcat. I.e.:

systemctl restart tomcat9.service

The only catch with that, is that it depends on the default Tomcat config which you appear to have edited (by default Tomcat runs on port 443 - i.e. standard HTTPS). So you will either need to revert your changes (so it goes back to the default config) or adjust your config appropriately. FWIW, here's the default section that we provide (the lines with the preceding '+' are what we add - don't include the '+'):

@@ -93,6 +103,16 @@
+    <!-- TurnKey Linux default HTTPS connector on port 443 -->
+    <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
+               maxThreads="150" scheme="https" secure="true" URIEncoding="UTF-8"
+               clientAuth="false" sslProtocol="TLSv1.2" keystoreType="PKCS12"
+               keystoreFile="/etc/tomcat9/cert.p12" keystorePass="turnkey"
+               sslEnabledProtocols="TLSv1.2"
+               server="Secret" />
     <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
          This connector uses the APR/native implementation which always uses
          OpenSSL for TLS.

Note that instead of using the "raw" pem files, the cert/key ae stored within a PKCS12 keystore (the inithook script loads the default .pem files into the Tomcat keystore). You could use the raw pem files directly if you'd rather (as per the config that you note; except put the absolute path to /etc/ssl/private/cert.pem & /etc/ssl/private/cert.key (I'm fairly sure you shouldn't need to explicitly use the chain file).

However, as you've already noted, additional commands still need to be run everytime that the cert is updated. Obviously requiring a manual step won't be much good for automation! So I have actually implemented a bugfix to our Let's Encrypt dehydrated-wrapper script.

To pull that fix into your server, please try this:


Then (assuming that your Confconsole Let's Encrypt config is already good to go; which I suspect it is) manually force it to update the cert:

/usr/lib/confconsole/plugins.d/Lets_Encrypt/dehydrated-wrapper --force

Hopefully that does the trick. Please post back ASAP to confirm that it works; or let me know if it's still not working. If it's not working, please share any error messages that you see.

Add new comment