There are two main ways of running Greenstone 3 using HTTPS:

• [Preferred] Running an Apache server configured to support HTTPS, and reverse proxying the Tomcat server
• Setting up Tomcat to run using HTTPS

An easy way of getting an SSL certificate, which is free, is to use certbot and LetsEncrypt.

You will need to install certbot - follow the instructions at https://certbot.eff.org/instructions Take note of the "What you need" section. Then, choose your webserver ('apache' or 'other' for Tomcat) and operating system, and it will give you instructions to install certbot, plus also instructions to run it to get certificates.

Once you have certbot installed, if you are using Apache, you can run

• sudo certbot –apache - this will generate the certificates, plus also setup Apache configuration to use them.
• sudo certbot certonly - will generate the certificates, but do no configuration - you will need to do that yourself.

If you are adding https support to Tomcat, you can use the Greenstone ant targets to generate the certificates, plus then convert them and setup Tomcat configuration to use them.

• ant setup-https-cert - this will obtain the certificates from LetsEncrypt, and put them into Tomcat's conf folder.
• ant renew-existing-https-cert - to run the renewal command and reinstall them into Tomcat.

The SSL certificates are installed into /etc/letsencrypt/live/<tomcat.server>

Once you use certbot to obtain certificates, it sets up a systemd timer to automatically renew them every 60 days. You shouldn't need to re-run certbot unless your settings have changed. Note, if your port 80 is not open by default, and you opened it just for generating the initial certificates, this renewal won't work. You'll need to open up port 80, and run sudo certbot renew.