Wednesday, August 1, 2012

Running Tomcat on HTTPS with a Secure Certificate on Dreamhost

From http://www.appfoundation.com/2012/08/running-tomcat-on-https-with-a-secure-certificate-on-dreamhost/:


1. Create a new domain
  • Login to your Dreamhost account
  • Go to "Manage Domains"
  • Select to "Add New Domain"
  • Make sure to specify the "Run this domain under the user" as a user associated with the FTP account on your private server. This results in the new domain being installed on your private server
  • Wait for the new domain to be active, which can take up to 15 minutes. Once you can hit the new domain in your browser you are ready to go.

2. Add SSL to the domain
  • Login to your Dreamhost account
  • Go to "Manage Domains"
  • Next to your domain press the "Add" button in the "Secure Hosting" column
  • Fill out the admin information for your domain
  • Wait for the SSL version of your domain to be available, which can take up to 15 minutes. Once you can hit the HTTPS version of your domain you are ready to go.
  • This service costs $5/month

3. Add a professionally signed secure certificate to the domain
  • This is required if you don't want your users to get the "Not a secure site" warning page when going to the HTTPS version of your site
  • Login to your Dreamhost account
  • Under "Domains" go to "Secure Hosting"
  • Select to "Add Secure Certificate"
  • Fill out the information and order the certificate
  • Wait up to 15 minutes for the certificate to be complete. Once the status of the certificate request on the "Secure Hosting" page is "OK" you are ready to go.
  • This service costs $15.00

4. Fix Dreamhost overwrites
  • The addition of this service will cause your private server to have some of its components refreshed, depending on what things you have selected to have managed on the Private Server dashboard
  • The most common issue is the refresh of the MySQL configuration file, in which the default version doesn't allow lower case table names
  • You know this is happening when you start getting database errors about table names not being found
  • Modify MySQL to not use case sensitive names, which means you have to edit /dh/mysql/mysql/my.cnf
  • Add lower_case_table_names=1 AFTER the [mysqld] tag. If you add this param before, it does not get picked up by the startup script.
## my.cnf for ds3241:mysql (generated)
#
# put local parameters in my.cnf.local for inclusion below
#
### useful info:
# socket = /dh/mysql/mysql/mysql.mysql.sock
# backup user = root
# backup pass = PASSWORD_HERE
[mysqld_safe]
open_files_limit = 65535
[mysqld]
# options without values
lower_case_table_names=1
log-warnings
new

5. Change Apache ports (if you are running Tomcat HTTP on 80 and Tomcat HTTPS on 443)
  • If you are running Tomcat on port 80 and intending on running HTTPS on 443, you will need to tell Apache to run somewhere else
  • You have to edit /usr/local/dh/apache2/httpd-argon/etc/httpd.conf and change all of the port :443's to :8443's

6. Restart the server
  • Login to your Dreamhost account
  • Go to "Dedicated Servers" and then "Dashboard"
  • Press the "Restart" button next to your private server
  • Wait for about 5 minutes for the server to come back up

7. Install tools needed for generating a certificate for Tomcat

8. Generate a keystore for Tomcat using your certificate
  • This took me a really long time to figure out. http://www.brandonchecketts.com/archives/convert-and-openssl-apache-ssl-certificate-to-a-pkcs12-tomcat contained the missing pieces.
  • In Dreamhost go to Secure Hosting and select the "View" button next to your Secure Certificate for your domain
  • This will show you 3 keys: Certificate, Private Key, and Intermediate Certificate
  • Copy and paste the Certificate into a file named "yourdomain.com.crt"
  • Copy and paste the Intermediate Certificate into a file named "yourdomain.com.int"
  • Copy and paste the Private Key into a fie named "yourdomain.com.key"
  • Run the following at the Windows Command Line:
openssl pkcs12 -export -in yourdomain.com.crt -out yourdomain.com.pkcs12 -name "yourdomain.com" -inkey yourdomain.com.key
  • Pick a password for the keystore, which you will need to put in the Tomcat server.xml in the future
  • This generates a file called yourdomain.com.pkcs12

9. Upload the keystore
  • Upload the yourdomain.com.pkcs12 to the conf directory of your Tomcat installation on your private server
  • For example our Tomcat conf directory is /opt/apache-tomcat-7.0.27/conf

10. Modify the Tomcat server.xml
  • First you have to set the redirect to the HTTP port from the perspective of the HTTPS port. Note that all you need here is the redirect port, everything else
is specific to an ExtJS GZIP optimization
Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443"
compression = "on"
compressableMimeType="text/html,text/xml,text/css,text/javascript,application/x-javascript,image/jpeg,image/png,image/gif"
compressionMinSize="1"
  • Next you have to add a connector configuration for HTTPS that references the keystore:
Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/yourdomain.com.pkcs12" keystoreType= "PKCS12" keystorePass="YOUR_PASSWORD"
compression = "on"
compressableMimeType="text/html,text/xml,text/css,text/javascript,application/x-javascript,image/jpeg,image/png,image/gif"
compressionMinSize="1"

  • Finally you have to modify the AJP connector:
Connector port="8009" protocol="AJP/1.3" redirectPort="443" 

11. Startup your Tomcat instance
  • From the Tomcat directory run ./bin/startup.sh and make sure logs/catalina.out doesn't contain any errors related to the keystore
  • The HTTPS version of your site should now be running using your certificate, which means there won't be a security warning page when visiting the site

No comments:

Contributors