Setting up Custom SSL for BMS in Linux Centos 7 (Non-Docker)

Prerequisites

Variables Used

  • domain - bms-leafnode.io
  • password - bms123

Steps

1. Create standalone certificate via certbot

# certbot certonly --standalone -d bms-staging.leafnode.io

SSL contents will be located under /etc/letsencrypt/live/bms-staging.leafnode.io/

2. Create a PKCS12 that contains both your full chain and the private key

# openssl pkcs12 -export -out /tmp/bms-staging.leafnode.io_fullchain_and_key.p12 -in /etc/letsencrypt/live/bms-staging.leafnode.io/fullchain.pem -inkey /etc/letsencrypt/live/bms-staging.leafnode.io/privkey.pem -name tomcat

3. Convert that PKCS12 to a JKS

# keytool -importkeystore -deststorepass bms123 -destkeypass bms123 -destkeystore bms-staging.leafnode.io.jks -srckeystore /tmp/bms-staging.leafnode.io_fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass bms123 -alias tomcat

Replace bms123 with your password

4. Configure tomcat server

# mv bms-staging.leafnode.io.jks /etc/ssl/
# vi conf/server.xml

Ensure the following section is commented out

<!---
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />

Configure connector to use a shared thread pool

<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />

Next is to define SSL HTTP/1.1 Connector on port 18443

<Connector port="18443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/etc/ssl/bms-staging.leafnode.io.jks"
keystorePass="bms123"
clientAuth="false" sslProtocol="TLS" />

5. Test the setup

At this point, you need to start or restart the BMS tomcat server in order for the configuration to take effect. Once done the site should be accessible via https://bms-staging.leafnode.io:18443/ibpworkbench/main


6. Setup auto-renew script - https://github.com/jmutai/tomcat-letsencrypt

The script is set to run every 3am via linux cron job and goes through the ff. steps

a) Check if certbot is installed and installs if necessary

b) Using certbot, check if the certificate needs to be renewed and renew it if applicable.

c) If ssl is renewed then restart tomcat and send email notification.