This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
ssl_tsl_certificates [2018/11/09 12:56] mstraub created |
ssl_tsl_certificates [2018/11/09 13:41] (current) mstraub [Workflow when using WildFly] |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== SSL/TSL Certificates ====== | ====== SSL/TSL Certificates ====== | ||
+ | |||
+ | When using HTTPS on your server you should most probably also provide a **valid** [[https://de.wikipedia.org/wiki/Transport_Layer_Security|TLS]] (aka SSL) certificate. Otherwise browsers tend to block access to your page or at least give a big warning that the page is not secure. | ||
===== Let's Encrypt ===== | ===== Let's Encrypt ===== | ||
Line 18: | Line 20: | ||
<code bash> | <code bash> | ||
- | sudo apt-get update | + | sudo apt update |
- | sudo apt-get install software-properties-common | + | sudo apt install software-properties-common |
sudo add-apt-repository ppa:certbot/certbot | sudo add-apt-repository ppa:certbot/certbot | ||
- | sudo apt-get update | + | sudo apt update |
- | sudo apt-get install certbot | + | sudo apt install certbot |
sudo mkdir /opt/letsencrypt; cd /opt/letsencrypt | sudo mkdir /opt/letsencrypt; cd /opt/letsencrypt | ||
Line 40: | Line 42: | ||
== Create Java Keystore == | == Create Java Keystore == | ||
- | Now we have to create a java keystore (.jks) for use with WildFly: | + | Now we have to create a java keystore (.jks) for use with WildFly. Adapt the variables to match your use case, and note, that you should delete the lines containing passwords from your ''~/.bash_history'' (or equivalent): |
<code bash> | <code bash> | ||
- | YOURDOMAIN=a.ait.ac.at | + | YOURDOMAIN=example.com |
- | YOURKEYSTORENAME=b | + | YOURKEYSTORENAME=k |
- | KEYSTOREALIAS=c | + | KEYSTOREALIAS=a |
OPENSSL_PASS=p | OPENSSL_PASS=p | ||
WILDFLY_NEW_STORE_PASS=p | WILDFLY_NEW_STORE_PASS=p | ||
Line 52: | Line 54: | ||
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/${YOURDOMAIN}/fullchain.pem -inkey /etc/letsencrypt/live/${YOURDOMAIN}/privkey.pem -out ${YOURKEYSTORENAME}.p12 -name ${KEYSTOREALIAS} -passout pass:${OPENSSL_PASS} | sudo openssl pkcs12 -export -in /etc/letsencrypt/live/${YOURDOMAIN}/fullchain.pem -inkey /etc/letsencrypt/live/${YOURDOMAIN}/privkey.pem -out ${YOURKEYSTORENAME}.p12 -name ${KEYSTOREALIAS} -passout pass:${OPENSSL_PASS} | ||
- | |||
sudo keytool -importkeystore -deststorepass ${WILDFLY_NEW_STORE_PASS} -destkeypass ${WILDLFY_NEW_KEY_PASS} -destkeystore ${NEW_KEYSTORE_FILE}.jks -deststoretype PKCS12 -srckeystore ${YOURKEYSTORENAME}.p12 -srcstoretype PKCS12 -srcstorepass ${OPENSSL_PASS} -alias ${KEYSTOREALIAS} | sudo keytool -importkeystore -deststorepass ${WILDFLY_NEW_STORE_PASS} -destkeypass ${WILDLFY_NEW_KEY_PASS} -destkeystore ${NEW_KEYSTORE_FILE}.jks -deststoretype PKCS12 -srckeystore ${YOURKEYSTORENAME}.p12 -srcstoretype PKCS12 -srcstorepass ${OPENSSL_PASS} -alias ${KEYSTOREALIAS} | ||
</code> | </code> | ||
Line 89: | Line 90: | ||
</code> | </code> | ||
- | In case WildFly uses port 80/443 you have to shut it down now. | + | In case WildFly uses port 80/443 you have to shut it down now. Unfortunately you can not specify a different port for the validation, see ''%%certbot --help standalone%%'' (especially the option ''%%--tls-sni-01-port%%''), and https://github.com/certbot/certbot/issues/2697. |
Then renew the certificate (updates ''/etc/letsencrypt/live/${YOURDOMAIN}/fullchain.pem''): | Then renew the certificate (updates ''/etc/letsencrypt/live/${YOURDOMAIN}/fullchain.pem''): | ||
Line 98: | Line 99: | ||
Then repeat the steps for creating a new java keystore. | Then repeat the steps for creating a new java keystore. | ||
- | |||
- | FIXME as of 2018-08 shutting down may not be necessary anymore, see ''certbot --help standalone'' and the option ''--tls-sni-01-port''. See also https://github.com/certbot/certbot/issues/2697 |