I wished to use the certificates of Let's Encrypt1 for my website/glassfish.
I installed certbot using the manual found on the certbot website2.
Make sure you are not running a website at the time, because the challenge of Let's Encrypt to verify you own the domain, is done by running a small webserver.
Getting certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): www.mrbear.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.mrbear.org
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.mrbear.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.mrbear.org/privkey.pem
Your cert will expire on 2019-01-12. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Converting PEM
So now I have the necessary PEM files. Now to add them to my keystore and cacerts.
... lots of text...
#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B6 90 77 77 F6 3B DF 0C C3 29 25 B5 56 29 EB CF ..ww.;...)%.V)..
0010: 5D FD 3B 07 ].;.
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
[Storing cacerts.jks]
I received a warning.
I did just that.
Enter source keystore password:
Entry for alias godaddy successfully imported.
Entry for alias godaddy2 successfully imported.
Entry for alias glassfish-instance successfully imported.
Entry for alias s1as successfully imported.
Import command completed: 4 entries successfully imported, 0 entries failed or cancelled
Warning:
Migrated "keystore.jks" to Non JKS/JCEKS. The JKS keystore is backed up as "keystore.jks.old".
[root@mrbear config]#
I got a java.security.cert.CertificateParsingException: signed fields invalid when trying to import the Let's Encrypt keys.
I didn't know how to resolve it, so I decided to go with KSE - KeyStore Explorer3.
Verify key
Glassfish Admin console and HTTPS
I had some issues with the admin console which is also behind https.
There's a stackoverflow4 that helped me.
Running renew
In order to renew my keys with Let's Encrypt, all I need to do is run "cert renew" apparently.
I get the message that he cannot validate my domain. Apparently he needs to spin up a webserver again.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.mrbear.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.mrbear.org
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.mrbear.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/www.mrbear.org/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Still using KSE, which is awesome, to change keystore.jks.
Steps taken:
- Deleted the old "s1as" Key Pair
- Import Key Pair
- Select format PKCS#8
- Encrypted private key checkbox should be unchecked
- PKCS#8 Private key file should be privkey.pem
- certificates file could be chain.pem
- enter the alias "s1as".
- enter a password to seal the deal.
- close and save
- restart Glassfish
- done.
References
- [1] Let's Encrypt
- https://letsencrypt.org/
- [2] Certbot
- https://certbot.eff.org/
- [3] SourceForge - Keystore-Explorer
- http://keystore-explorer.sourceforge.net/
- [4] StackOverflow - Glassfish V4 ssl admin no longer works
- https://stackoverflow.com/questions/34935725/glassfish-v4-ssl-admin-no-longer-works/34952975
I have created a Perl script to automate this process. From README.md:
ReplyDelete# letsencrypt_glassfish
A script to simplify the installation and maintenance of Let's Eencrypt certificates in Glassfish and Payara web servers.
This script is intended to simplify the installation of a Let's Encrypt certificate in a glassfish/payara server and provide an automated way of renewing that certificate when it is about to expire.
There exists a significant amount of documentation on the web which addresses this problem but I have found much of it to be ambiguous and incomplete. This is an attempt to remove that ambiguity and incompleteness by giving a real world working example which can be modified to suit a particular situation.
What I've done is broken the process of obtaining a Let's Encrypt certificate into the following steps, not all of which will be necessary:
1. Customize the script to the particular local installation
1. List of domains for which a certificate is to be created
1. Glassfish/Payara setup (where they're located in your filesystem)
1. Password for Glassfish/Payara
1. Change Glassfish/Payara to listen on ports 80 and 443
1. Generate the Let's Encrypt certification keys
1. Insure that the keystore password matches that of the server
1. Create a keystore
1. Import the created keystore into the Glassfish/Payara keystore
1. Apply the new certificate to the https listener
1. Update the domain SSL information
1. Set (if necessary) the server admin password.
1. Set up the https domain
Additionally, the script can be invoked periodically (typically via 'cron') to check to see if any domains need to be renewed and if so, renew them automatically.
I have used this script to create a new certificate for three domains in less than 5 minutes. I have used this script to automatically renew three domains via a cron job.
https://github.com/hbrednek/letsencrypt_glassfish
That looks pretty impressive!
Delete