In most cases the steps here are exactly the same as for the Glassfish application server1.
So, it might be a bit superfluous, but in the interest of being complete.
Bear in mind that when you change the master password, this password is also used to re-encrypt all your keystores!
Letsencrypt in cacerts.jks
I'm still using the Keystore Explorer for this. When you open up the cacerts.jks file, you'll see Let's Encrypt is already in there.
It's called 'letsencryptisrgx1 [jdk]'.
Add private key to keystore.jks
- "Open an existing keystore" in Keystore Explorer.
- Choose keystore.jks. Put in your master password to access the keystore.
- Deleted the old "s1as" Key Pair.
- Import Key Pair
- Select format PKCS#8
- Encrypted private key checkbox should be unchecked
- PKCS#8 Private key file should be privkey.pem
- certificates file could be fullchain.pem
- enter the alias "s1as".
- enter a password to seal the deal.
- close and save
- restart Payara domain
- done.
Interesting.
When attempting to restart the Payara domain, I used asadmin, and it immediately noticed that my keystore.jks file was changed. It showed me the certificate and asked:
Enter admin user name>
Enter admin password>
Restart your listener
Instead of having to restart your entire Payara Domain, apparently it is also possible to just turn your http-listeners on and off.
That's what this little bit here is all about.
The command "asadmin list-http-listeners", shows you the listeners.
Enter admin user name> admin
Enter admin password for user "admin">
http-listener-1
http-listener-2
admin-listener
Command list-http-listeners executed successfully.
In order to examine the http listeners fully, it is best to list the different properties, like so:
Enter admin user name> admin
Enter admin password for user "admin">
server.network-config.protocols.protocol.admin-http-redirect
server.network-config.protocols.protocol.admin-http-redirect.http-redirect
server.network-config.protocols.protocol.admin-listener
server.network-config.protocols.protocol.admin-listener.http
server.network-config.protocols.protocol.admin-listener.http.file-cache
server.network-config.protocols.protocol.http-listener-1
server.network-config.protocols.protocol.http-listener-1.http
server.network-config.protocols.protocol.http-listener-1.http.file-cache
server.network-config.protocols.protocol.http-listener-1.ssl
server.network-config.protocols.protocol.http-listener-2
server.network-config.protocols.protocol.http-listener-2.http
server.network-config.protocols.protocol.http-listener-2.http.file-cache
server.network-config.protocols.protocol.http-listener-2.ssl
server.network-config.protocols.protocol.pu-protocol
server.network-config.protocols.protocol.pu-protocol.port-unification
server.network-config.protocols.protocol.pu-protocol.port-unification.protocol-finder.admin-http-redirect
server.network-config.protocols.protocol.pu-protocol.port-unification.protocol-finder.http-finder
server.network-config.protocols.protocol.sec-admin-listener
server.network-config.protocols.protocol.sec-admin-listener.http
server.network-config.protocols.protocol.sec-admin-listener.http.file-cache
server.network-config.protocols.protocol.sec-admin-listener.ssl
Command list executed successfully.
We can see which ones have ssl enabled, by using get:
server.network-config.protocols.protocol.http-listener-2.security-enabled=true
Command get executed successfully.
$ ./asadmin get server.network-config.protocols.protocol.http-listener-1.security-enabled
server.network-config.protocols.protocol.http-listener-1.security-enabled=false
Command get executed successfully.
$ ./asadmin get server.network-config.protocols.protocol.admin-listener.security-enabled
server.network-config.protocols.protocol.admin-listener.security-enabled=false
Command get executed successfully.
$ ./asadmin get server.network-config.protocols.protocol.sec-admin-listener.security-enabled
server.network-config.protocols.protocol.sec-admin-listener.security-enabled=true
Command get executed successfully.
As you've noticed above, the admin-listener has defined a redirect to sec-admin-listener.
Let's turn http-listener-2 off and on again. See if he picks up the new certificate.
Command get executed successfully.
./asadmin set server.network-config.network-listeners.network-listener.http-listener-2.enabled=true
Command get executed successfully.
Yes! We have a green lockicon in my Firefox bar! Success!
For some reason this little thing, also caused the new certificate to be picked up by the admin listener of the administration console.
Automation
Apparently it's possible to automate the whole thing, and there's a Python script in the Payara application server called payara5/bin/letsencrypt.py that let's you do that.
There's more information available on the website of Certbot on how to automate it, see in the references below.
References
- [1] Enabling SSL in Glassfish with certificate from Let's Encrypt.
- https://randomthoughtsonjavaprogramming.blogspot.com/2019/01/enabling-ssl-in-glassfish-with.html
- Payara Blog - Securing Payara Server with Custom SSL Certificate
- https://blog.payara.fish/securing-payara-server-with-custom-ssl-certificate
- Payara Blog - Configuring SSL/TLS Certificates with Payara Server and Let's Encrypt
- https://blog.payara.fish/configuring-ssl/tls-certificates-with-payara-server-and-lets-encrypt
- Github.com - PAYARA-1061 LetsEncrypt integration script
- https://github.com/payara/Payara/pull/2727
- Certbot - User Guide
- https://certbot.eff.org/docs/using.html
- Keystore Explorer
- https://keystore-explorer.org/
No comments:
Post a Comment