Thursday, 11 November 2021

LetsEncrypt with Webroot

All righty then, time to get working with LetsEncrypt. Again.

So there are several different ways to have LetsEncrypt verify that the domain you wish to have a certificate for is actually yours.

I usually use the webroot version.

But in the past, I found it irksome that I had to let certbot spin up a http server to verify my domain.

What was easier was to have my application server have a part on the filesystem mapped to the Webpages1.

Then certbot could simply use that webroot directory. Which is option 2.

So let's try that.

~]# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): www.mrbear.org
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for www.mrbear.org
Performing the following challenges:
http-01 challenge for www.mrbear.org
Input the webroot for www.mrbear.org: (Enter 'c' to cancel): /home/jelastic/media
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.mrbear.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.mrbear.org/privkey.pem
Your certificate will expire on 2021-11-10. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

It will put stuff in /home/jelastic/media/.well-known. Usually in the acme-challenge directory. It'll put some random file in there, for example 366_oWEFaizWeQqOts4KhuTBQcCsFH5dBgG7-jNX32k with a similar string inside, but usually a lot longer.

This file is accessed by the LetsEncrypt server, and if that works, the domain is yours and you get your certificate.

"certbot renew" is preferably easier, as it takes into account the previous configuration settings. Nice for cron jobs.

Also, I found this great script for importing the ssl certificates on the Forums of LetsEncrypt2 for my Java Application Server!

My Payara MicroProfile server uses the following commandline to access the new certificates:

java -server -XX:+UnlockExperimentalVMOptions -javaagent:/java_agent/jelastic-gc-agent.jar=period=300,debug=0 -XX:+UseStringDeduplication -XX:+UseG1GC -Xmaxf0.3 \
-Xminf0.1 -Xmx2048M -Xms32M \
-Djavax.net.ssl.trustStore="/home/jelastic/cacerts.jks" \
-Djavax.net.ssl.keyStore="/home/jelastic/keystore.jks" \
-Djavax.net.ssl.trustStorePassword="changeit" \
-Djavax.net.ssl.keyStorePassword="changeit" \
-jar ./payara-micro-5.2021.1.jar --postbootcommandfile ./postboot --addlibs ../libs/mariadb-java-client-2.5.2.jar --port 8080 --sslport 8743 \
--deploy ../release/mrbear.war \
--deploy ../release/mrbearportal-2.0.9.war \

Please pay special attention to the four "javax.net.ssl.*" properties that take care of the SSL properties.

And that's it!

References

[1] MyBlog - Alternate docroots
http://randomthoughtsonjavaprogramming.blogspot.com/search/label/alternate%20docroot
[2] LetsEncrypt Community Forum - Importing LetsEncrypt into Java and Glassfish
https://community.letsencrypt.org/t/importing-letsencrypt-into-java-and-glassfish/9711/11
Java Keytool Essentials: Working with Java Keystores - Mitchell Anicas
https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores

No comments:

Post a Comment