On 27 October 2017 at 15:05, Don Flinn <fl...@alum.mit.edu> wrote: > Hi Andre, > > I have looked and it may be my ignorance but I didn't find any that seemed > to fit. I'll look more closely at the available letsencrypt clients. > > With letsencrypt you first have to authenticate, i.e. show you own the > site, by letsencrypt logging into your site, e.g. Tomcat and checking a > token. Then the Java program can get the letsencrypt certificate. There > are two different addresses Tomcat on AWS and the node, which is running > the Java program. > > I've set Tomcat to listen on port 80 and put the directory structure they > want in Tomcat ROOT. The Java program, running on my node, gets the > letsencrypt authentication token and ftp's it to Tomcat > ROOT/.well-known/acme-challenge, which is the directory structure they > expect. letsencryt then authenticates the token which is in Tomcat, by > retrieving it . The program lets letsencrypt know when the ftp is done The > Java program then retrieves the certificate from letsencrypt, puts it in a > keystore, ftp's the keystore to AWS in the directory in which I've set > Tomcat to look for the keystore. It's all done from the one Java program, > which I can run from my node. I have yet to incorporate programically > inserting the certificate into the keystore. All the other steps are > working. It needs testing and doing the update of the certificate, which > is pretty much the same steps as already programmed. > > Don >
i just set this up a few day ago But all the current scripts out there are working for the most part Also running tomcat at root is not a good idea you can just use ip tables for that: sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 sudo iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443 so when tomcat is running on port 8080 and 8440 with iptables you route those port also to 80/443 so no need to change anything in tomcat besides that i just use certbot-auto wget https://dl.eff.org/certbot-auto sudo chmod a+x certbot-auto sudo ./certbot-auto --debug -v --server https://acme-v01.api.letsencrypt.org/directory certonly -d your.domain.com you have to have a ROOT webapp in tomcat for this and with certbot you just point to that tomcat/webapps/ROOT dir and the certificates are there. then the only thing todo left is to convert it and place it in the right folder (and i guess the first time you have to change also the owner/group because that file will be root:root) sudo openssl pkcs12 -export -out tomcat/conf/bundle.pfx -inkey /etc/letsencrypt/live/your.domain.com/privkey.pem <http://build.servoy.com/privkey.pem> -in /etc/letsencrypt/live/ your.domain.com/cert.pem <http://build.servoy.com/cert.pem> -certfile /etc/letsencrypt/live/your.domain.com/chain.pem <http://build.servoy.com/chain.pem> -password pass:apassword and you have your first certificate in a format tomcat/java understand then only a crontab under root: #!/bin/sh /home/ec2-user/certbot-auto renew openssl pkcs12 -export -out /tomcat/conf/bundle.pfx -inkey /etc/letsencrypt/live/your.domain.com/privkey.pem <http://build.servoy.com/privkey.pem> -in /etc/letsencrypt/live/ your.domain.com/cert.pem <http://build.servoy.com/cert.pem> -certfile /etc/letsencrypt/live//your.domain.com/chain.pem <http://build.servoy.com/chain.pem> -password pass:apassword and you are done The only thing that i need to investigate is to only call the openssl in the cron tab when the certbot did renew and then also restart tomcat (as long as tomcat doesn't auto pick it up)
