Let's Encrypt SSL with Apache (Reverse Proxy) + Tomcat using win-acme

Objective

Secure a website (example.com) served by Tomcat (port 8080) through an Apache reverse proxy on Windows using a free Let's Encrypt SSL certificate generated by win-acme.

Prerequisites

Domain name pointing to your public IP.
Apache (XAMPP) installed and running on port 80.
Tomcat server running on port 8080.
win-acme ACME client (https://www.win-acme.com/).

Apache Virtual Host Configuration (Port 80)

<VirtualHost *:80>
    ServerName example.com

    # Serve ACME challenge
    Alias /.well-known/acme-challenge/ "C:/xampp/.well-known/acme-challenge/"
    <Directory "C:/xampp/.well-known/acme-challenge/">
        Options None
        AllowOverride None
        Require all granted
    </Directory>

    # Prevent proxying of ACME challenge
    ProxyPassMatch ^/.well-known ! 

    # Reverse proxy to Tomcat
    ProxyPreserveHost On
    ProxyPass /exampledept/ http://localhost:8080/exampledept/
    ProxyPassReverse /exampledept/ http://localhost:8080/exampledept/

    ProxyPass / http://localhost:8080/exampledept/
    ProxyPassReverse / http://localhost:8080/exampledept/

    ErrorLog "logs/example.com-error.log"
    CustomLog "logs/example.com-access.log" common
</VirtualHost>

win-acme Manual Validation Setup

Run wacs.exe and choose M (Full Options).
Select manual input of domain: example.com
Choose HTTP validation method: Save verification files on (network) path
Path for challenge files: C:\xampp\ (No need to mention .well-known/acme-challenge)
Choose to skip web.config copy.
Choose key type: RSA
Output format: PEM files Output directory: C:\example_ssl
Skip additional installation or bindings steps.

Validation Troubleshooting (Optional)

Ensure the ACME challenge file is directly accessible at: http://example.com/.well-known/acme-challenge/<token>
If you see 404s, verify:
- Apache is not proxying .well-known paths.
- Challenge file exists in C:/xampp/.well-known/acme-challenge/.
- No Tomcat redirection is interfering with validation.

Installing SSL

Apache Virtual Host Configuration (Port 443)

<VirtualHost *:443>
    ServerName example.com

    SSLEngine on
    SSLCertificateFile "C:/xampp/ssl/cert.pem"
    SSLCertificateKeyFile "C:/xampp/ssl/key.pem"
    SSLCertificateChainFile "C:/xampp/ssl/chain.pem"

    # Serve .well-known/acme-challenge locally (optional, for renewal)
    Alias /.well-known/acme-challenge/ "C:/xampp/.well-known/acme-challenge/"
    <Directory "C:/xampp/.well-known/acme-challenge/">
        Options None
        AllowOverride None
        Require all granted
    </Directory>

    ProxyPreserveHost On
    ProxyPass /exampledept/ http://localhost:8080/exampledept/
    ProxyPassReverse /exampledept/ http://localhost:8080/exampledept/

    ProxyPass / http://localhost:8080/exampledept/
    ProxyPassReverse / http://localhost:8080/exampledept/

    ErrorLog "logs/example-ssl-error.log"
    CustomLog "logs/example-ssl-access.log" common
</VirtualHost>

Final Steps

Restart Apache and Tomcat.
Access your secure site via: https://example.com/exampledept/
(Optional) Setup a scheduled task or cron for renewal with win-acme.

(Optional but Recommended) Force HTTPS Redirect

In your current port 80 VirtualHost, add this to redirect users to HTTPS:

<VirtualHost *:80>
    ServerName example.com

    # Redirect everything to HTTPS
    Redirect permanent / https://example.com/

    # Keep acme challenge local (optional for renewal)
    Alias /.well-known/acme-challenge/ "C:/xampp/.well-known/acme-challenge/"
    <Directory "C:/xampp/.well-known/acme-challenge/">
        Options None
        AllowOverride None
        Require all granted
    </Directory>

    ErrorLog "logs/example.com-error.log"
    CustomLog "logs/example.com-access.log" common
</VirtualHost>

PreviousTomcat: Install Let's Encrypt SSL-Windows NextHOW TO CREATE A FULL-CHAIN PFX FROM YOUR SSL FILES

Last updated 5 months ago

Was this helpful?