Apache. Payara. Let's Encrypt.
Some time ago, I wrote a small tutorial on how you can generate Let’s Encrypt SSL certificates and install them on your Glassfish Java EE Platform. That trick worked wonders for me but having to manually renew and reinstall the certificates every three months became quite annoying.
I did a little research and, same as the first tutorial, this one is basically a summary of my findings. Before anything, I should mention Mr. Daschner who explained to me how HTTPS is usually handled in the Java EE world – many thanks!
Long story short: Payara, Glassfish, JBoss and others all have some differences in the way they handle HTTPS so, Mr. Daschner said, the sane way to do it is to let them work via HTTP behind the scenes and let an Apache HTTP Server actually communicate with the users, acting as a Reverse Proxy, forwarding all requests to/from the hidden Java EE Platform.
First things first, download Payara or other server of your choice, install and run it with the default configuration. By default, it should listen on port
8080. No need to do anything further.
Then, install Apache as explained here and in the file
/etc/apache2/sites-available/example.com.conf, specify the following (the file is
example.com.conf as in the linked article):
After saving the changes, don’t forget to reload
Apache, so it reads the new config:
sudo systemctl reload apache2
Now instruct your firewall to expose ports
443 for incoming connections (this is probably already configured) and you are half done. So far, you have a running Apache server which will forward all requests made to
www.example.com/myapp to the internal Payara.
To enable SSL via Let’s Encrypt, just follow the steps described here and don’t forget to press
2 when the following message appears from
2 will instruct certbot to automatically configure Apache so it redirects all HTTP traffic to HTTPS. This is very convenient since
http:// links are still widely spread so it only makes sense to redirect the user to the secure alternative.
This is it, now everything should work via HTTPS and you should always see the green lock in your browser when accessing your Java EE apps via
www.example.com. The only thing that I do not like is the fact that, apparently, we have to specify each context root (i.e.
/myapp) in Apache’s config file. This seems very inconvenient, so I asked StackOverflow how we can avoid having to do this – if you happen to know please, go ahead and post an answer!