Thursday 10 January 2019

Enabling SSL in Glassfish with certificate from Let's Encrypt.

I wished to use the certificates of Let's Encrypt¹ for my website/glassfish.

I installed certbot using the manual found on the certbot website².

Make sure you are not running a website at the time, because the challenge of Let's Encrypt to verify you own the domain, is done by running a small webserver.

Getting certificates

[root@localhost certificates]# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): www.mrbear.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.mrbear.org
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.mrbear.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.mrbear.org/privkey.pem
   Your cert will expire on 2019-01-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
- If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Converting PEM

So now I have the necessary PEM files. Now to add them to my keystore and cacerts.

[root@mrbear config]# keytool -import -v -trustcacerts -alias letsencrypt -file /etc/letsencrypt/live/www.mrbear.org/fullchain.pem -keystore cacerts.jks -storepass itsasecret
... lots of text...
#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B6 90 77 77 F6 3B DF 0C   C3 29 25 B5 56 29 EB CF  ..ww.;...)%.V)..
0010: 5D FD 3B 07                                        ].;.
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore
[Storing cacerts.jks]

I received a warning.

Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12".

I did just that.

[root@mrbear config]# keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12
Enter source keystore password:
Entry for alias godaddy successfully imported.
Entry for alias godaddy2 successfully imported.
Entry for alias glassfish-instance successfully imported.
Entry for alias s1as successfully imported.
Import command completed:  4 entries successfully imported, 0 entries failed or cancelled

Warning:
Migrated "keystore.jks" to Non JKS/JCEKS. The JKS keystore is backed up as "keystore.jks.old".
[root@mrbear config]#

I got a java.security.cert.CertificateParsingException: signed fields invalid when trying to import the Let's Encrypt keys.

I didn't know how to resolve it, so I decided to go with KSE - KeyStore Explorer³.

Verify key

openssl rsa -in /etc/letsencrypt/live/www.mrbear.org/privkey.pem -check

Glassfish Admin console and HTTPS

I had some issues with the admin console which is also behind https.

There's a stackoverflow⁴ that helped me.

Running renew

In order to renew my keys with Let's Encrypt, all I need to do is run "cert renew" apparently.

I get the message that he cannot validate my domain. Apparently he needs to spin up a webserver again.

[root@mrbear ~]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.mrbear.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.mrbear.org
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.mrbear.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/www.mrbear.org/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Still using KSE, which is awesome, to change keystore.jks.

Steps taken:

Deleted the old "s1as" Key Pair
Import Key Pair
Select format PKCS#8
Encrypted private key checkbox should be unchecked
PKCS#8 Private key file should be privkey.pem
certificates file could be chain.pem
enter the alias "s1as".
enter a password to seal the deal.
close and save
restart Glassfish
done.

References

[1] Let's Encrypt: https://letsencrypt.org/
[2] Certbot: https://certbot.eff.org/
[3] SourceForge - Keystore-Explorer: http://keystore-explorer.sourceforge.net/
[4] StackOverflow - Glassfish V4 ssl admin no longer works: https://stackoverflow.com/questions/34935725/glassfish-v4-ssl-admin-no-longer-works/34952975

2 comments:

hbrednek25 May 2020 at 03:00
I have created a Perl script to automate this process. From README.md:

# letsencrypt_glassfish
A script to simplify the installation and maintenance of Let's Eencrypt certificates in Glassfish and Payara web servers.

This script is intended to simplify the installation of a Let's Encrypt certificate in a glassfish/payara server and provide an automated way of renewing that certificate when it is about to expire.

There exists a significant amount of documentation on the web which addresses this problem but I have found much of it to be ambiguous and incomplete. This is an attempt to remove that ambiguity and incompleteness by giving a real world working example which can be modified to suit a particular situation.

What I've done is broken the process of obtaining a Let's Encrypt certificate into the following steps, not all of which will be necessary:

1. Customize the script to the particular local installation
1. List of domains for which a certificate is to be created
1. Glassfish/Payara setup (where they're located in your filesystem)
1. Password for Glassfish/Payara
1. Change Glassfish/Payara to listen on ports 80 and 443
1. Generate the Let's Encrypt certification keys
1. Insure that the keystore password matches that of the server
1. Create a keystore
1. Import the created keystore into the Glassfish/Payara keystore
1. Apply the new certificate to the https listener
1. Update the domain SSL information
1. Set (if necessary) the server admin password.
1. Set up the https domain

Additionally, the script can be invoked periodically (typically via 'cron') to check to see if any domains need to be renewed and if so, renew them automatically.

I have used this script to create a new certificate for three domains in less than 5 minutes. I have used this script to automatically renew three domains via a cron job.

https://github.com/hbrednek/letsencrypt_glassfish
ReplyDelete
Replies

Add comment