ssl_tsl_certificates
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision Last revision Both sides next revision | ||
|
ssl_tsl_certificates [2018/11/09 12:56] mstraub created |
ssl_tsl_certificates [2018/11/09 13:19] mstraub |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== SSL/TSL Certificates ====== | ====== SSL/TSL Certificates ====== | ||
| + | |||
| + | When using HTTPS on your server you should most probably also provide a **valid** [[https://de.wikipedia.org/wiki/Transport_Layer_Security|TLS]] (aka SSL) certificate. Otherwise browsers tend to block access to your page or at least give a big warning that the page is not secure. | ||
| ===== Let's Encrypt ===== | ===== Let's Encrypt ===== | ||
| Line 18: | Line 20: | ||
| <code bash> | <code bash> | ||
| - | sudo apt-get update | + | sudo apt update |
| - | sudo apt-get install software-properties-common | + | sudo apt install software-properties-common |
| sudo add-apt-repository ppa:certbot/certbot | sudo add-apt-repository ppa:certbot/certbot | ||
| - | sudo apt-get update | + | sudo apt update |
| - | sudo apt-get install certbot | + | sudo apt install certbot |
| sudo mkdir /opt/letsencrypt; cd /opt/letsencrypt | sudo mkdir /opt/letsencrypt; cd /opt/letsencrypt | ||
| Line 40: | Line 42: | ||
| == Create Java Keystore == | == Create Java Keystore == | ||
| - | Now we have to create a java keystore (.jks) for use with WildFly: | + | Now we have to create a java keystore (.jks) for use with WildFly. Adapt the variables to match your use case, and note, that you should delete the lines containing passwords from your ''~/.bash_history'' (or equivalent): |
| <code bash> | <code bash> | ||
| - | YOURDOMAIN=a.ait.ac.at | + | YOURDOMAIN=example.com |
| - | YOURKEYSTORENAME=b | + | YOURKEYSTORENAME=k |
| - | KEYSTOREALIAS=c | + | KEYSTOREALIAS=a |
| OPENSSL_PASS=p | OPENSSL_PASS=p | ||
| WILDFLY_NEW_STORE_PASS=p | WILDFLY_NEW_STORE_PASS=p | ||
| Line 52: | Line 54: | ||
| sudo openssl pkcs12 -export -in /etc/letsencrypt/live/${YOURDOMAIN}/fullchain.pem -inkey /etc/letsencrypt/live/${YOURDOMAIN}/privkey.pem -out ${YOURKEYSTORENAME}.p12 -name ${KEYSTOREALIAS} -passout pass:${OPENSSL_PASS} | sudo openssl pkcs12 -export -in /etc/letsencrypt/live/${YOURDOMAIN}/fullchain.pem -inkey /etc/letsencrypt/live/${YOURDOMAIN}/privkey.pem -out ${YOURKEYSTORENAME}.p12 -name ${KEYSTOREALIAS} -passout pass:${OPENSSL_PASS} | ||
| - | |||
| sudo keytool -importkeystore -deststorepass ${WILDFLY_NEW_STORE_PASS} -destkeypass ${WILDLFY_NEW_KEY_PASS} -destkeystore ${NEW_KEYSTORE_FILE}.jks -deststoretype PKCS12 -srckeystore ${YOURKEYSTORENAME}.p12 -srcstoretype PKCS12 -srcstorepass ${OPENSSL_PASS} -alias ${KEYSTOREALIAS} | sudo keytool -importkeystore -deststorepass ${WILDFLY_NEW_STORE_PASS} -destkeypass ${WILDLFY_NEW_KEY_PASS} -destkeystore ${NEW_KEYSTORE_FILE}.jks -deststoretype PKCS12 -srckeystore ${YOURKEYSTORENAME}.p12 -srcstoretype PKCS12 -srcstorepass ${OPENSSL_PASS} -alias ${KEYSTOREALIAS} | ||
| </code> | </code> | ||
| Line 99: | Line 100: | ||
| Then repeat the steps for creating a new java keystore. | Then repeat the steps for creating a new java keystore. | ||
| - | FIXME as of 2018-08 shutting down may not be necessary anymore, see ''certbot --help standalone'' and the option ''--tls-sni-01-port''. See also https://github.com/certbot/certbot/issues/2697 | + | FIXME as of 2018-08 shutting down may not be necessary anymore, see ''%%certbot --help standalone%%'' and the option ''%%--tls-sni-01-port%%''. See also https://github.com/certbot/certbot/issues/2697 |
ssl_tsl_certificates.txt · Last modified: 2018/11/09 13:41 by mstraub
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
