Thursday, 24 January 2019

Enabling SSL in Payara with certificate from Let's Encrypt.

In most cases the steps here are exactly the same as for the Glassfish application server1.

So, it might be a bit superfluous, but in the interest of being complete.

Bear in mind that when you change the master password, this password is also used to re-encrypt all your keystores!

Letsencrypt in cacerts.jks

I'm still using the Keystore Explorer for this. When you open up the cacerts.jks file, you'll see Let's Encrypt is already in there.

It's called 'letsencryptisrgx1 [jdk]'.

Add private key to keystore.jks

  1. "Open an existing keystore" in Keystore Explorer.
  2. Choose keystore.jks. Put in your master password to access the keystore.
  3. Deleted the old "s1as" Key Pair.
  4. Import Key Pair
  5. Select format PKCS#8
  6. Encrypted private key checkbox should be unchecked
  7. PKCS#8 Private key file should be privkey.pem
  8. certificates file could be fullchain.pem
  9. enter the alias "s1as".
  10. enter a password to seal the deal.
  11. close and save
  12. restart Payara domain
  13. done.

Interesting.

When attempting to restart the Payara domain, I used asadmin, and it immediately noticed that my keystore.jks file was changed. It showed me the certificate and asked:

Do you trust the above certificate [y|N]-->
Enter admin user name>
Enter admin password>

Restart your listener

Instead of having to restart your entire Payara Domain, apparently it is also possible to just turn your http-listeners on and off.

That's what this little bit here is all about.

The command "asadmin list-http-listeners", shows you the listeners.

$ ./asadmin list-http-listeners
Enter admin user name> admin
Enter admin password for user "admin">
http-listener-1
http-listener-2
admin-listener
Command list-http-listeners executed successfully.

In order to examine the http listeners fully, it is best to list the different properties, like so:

$ ./asadmin list server.network-config.protocols.protocol.*
Enter admin user name> admin
Enter admin password for user "admin">
server.network-config.protocols.protocol.admin-http-redirect
server.network-config.protocols.protocol.admin-http-redirect.http-redirect
server.network-config.protocols.protocol.admin-listener
server.network-config.protocols.protocol.admin-listener.http
server.network-config.protocols.protocol.admin-listener.http.file-cache
server.network-config.protocols.protocol.http-listener-1
server.network-config.protocols.protocol.http-listener-1.http
server.network-config.protocols.protocol.http-listener-1.http.file-cache
server.network-config.protocols.protocol.http-listener-1.ssl
server.network-config.protocols.protocol.http-listener-2
server.network-config.protocols.protocol.http-listener-2.http
server.network-config.protocols.protocol.http-listener-2.http.file-cache
server.network-config.protocols.protocol.http-listener-2.ssl
server.network-config.protocols.protocol.pu-protocol
server.network-config.protocols.protocol.pu-protocol.port-unification
server.network-config.protocols.protocol.pu-protocol.port-unification.protocol-finder.admin-http-redirect
server.network-config.protocols.protocol.pu-protocol.port-unification.protocol-finder.http-finder
server.network-config.protocols.protocol.sec-admin-listener
server.network-config.protocols.protocol.sec-admin-listener.http
server.network-config.protocols.protocol.sec-admin-listener.http.file-cache
server.network-config.protocols.protocol.sec-admin-listener.ssl
Command list executed successfully.

We can see which ones have ssl enabled, by using get:

$ ./asadmin get server.network-config.protocols.protocol.http-listener-2.security-enabled
server.network-config.protocols.protocol.http-listener-2.security-enabled=true
Command get executed successfully.
$ ./asadmin get server.network-config.protocols.protocol.http-listener-1.security-enabled
server.network-config.protocols.protocol.http-listener-1.security-enabled=false
Command get executed successfully.
$ ./asadmin get server.network-config.protocols.protocol.admin-listener.security-enabled
server.network-config.protocols.protocol.admin-listener.security-enabled=false
Command get executed successfully.
$ ./asadmin get server.network-config.protocols.protocol.sec-admin-listener.security-enabled
server.network-config.protocols.protocol.sec-admin-listener.security-enabled=true
Command get executed successfully.

As you've noticed above, the admin-listener has defined a redirect to sec-admin-listener.

Let's turn http-listener-2 off and on again. See if he picks up the new certificate.

./asadmin set server.network-config.network-listeners.network-listener.http-listener-2.enabled=false
Command get executed successfully.
./asadmin set server.network-config.network-listeners.network-listener.http-listener-2.enabled=true
Command get executed successfully.

Yes! We have a green lockicon in my Firefox bar! Success!

For some reason this little thing, also caused the new certificate to be picked up by the admin listener of the administration console.

Automation

Apparently it's possible to automate the whole thing, and there's a Python script in the Payara application server called payara5/bin/letsencrypt.py that let's you do that.

There's more information available on the website of Certbot on how to automate it, see in the references below.

References

[1] Enabling SSL in Glassfish with certificate from Let's Encrypt.
https://randomthoughtsonjavaprogramming.blogspot.com/2019/01/enabling-ssl-in-glassfish-with.html
Payara Blog - Securing Payara Server with Custom SSL Certificate
https://blog.payara.fish/securing-payara-server-with-custom-ssl-certificate
Payara Blog - Configuring SSL/TLS Certificates with Payara Server and Let's Encrypt
https://blog.payara.fish/configuring-ssl/tls-certificates-with-payara-server-and-lets-encrypt
Github.com - PAYARA-1061 LetsEncrypt integration script
https://github.com/payara/Payara/pull/2727
Certbot - User Guide
https://certbot.eff.org/docs/using.html
Keystore Explorer
https://keystore-explorer.org/

No comments:

Post a Comment