使用我们对Apache和Apache Tomcat进行加密 [英] Using Let's encrypt with Apache and Apache Tomcat
问题描述
在同一台计算机上,端口80上运行Apache,端口8080上运行Tomcat.
Apache包括html; css; js;文件并调用tomcat服务.
基本上 exampledomain.com 调用 exampledomain.com:8080 来接收数据.
现在我使用Let's Encrypt certbot将协议从http升级到https,以生成证书,certbot将每3个月更新一次此证书.Apache在端口443上运行良好,但是Tomcat仍使用端口8080,我可以使用相同的证书在端口8443上运行tomcat,但是..为此,需要将证书转换为Java Keystore.
我的问题是,如果我要转换证书,它将在3个月后过期,并且我需要再次将certbot生成的新证书转换为Java Keystore吗?
是的,您必须在证书每次到期时进行转换.
Tomcat接受.jks和.pfx证书,并且每次certbot编写脚本并使其与certbot续签一起运行时,您都可以轻松地自动转换每次certbot生成新证书.
脚本:
#!/bin/bash# 根据需要调整这些变量#您要最终存储PKCS12文件的位置.CERT_PATH ="/opt/app/certificate.pfx";#加密PKCS12文件的密码.CERT_PW ="ShoobyDooby".#LE文件的路径,由CertBot提供RENEWED_LINEAGEPRIV_KEY_PEM ="$ RENEWED_LINEAGE/privkey.pem"CERT_PEM ="$ RENEWED_LINEAGE/cert.pem"CHAIN_PEM ="$ RENEWED_LINEAGE/chain.pem"#如果已经有一个.pfx文件,请备份它如果[[-f"$ CERT_PATH"]];然后现在=`日期+%Y-%m-%d-%T`mv $ CERT_PATH $ CERT_PATH.bak.$ now科幻#转换openssl pkcs12-导出-out $ CERT_PATH -inkey $ PRIV_KEY_PEM -in $ CERT_PEM -certfile $ CHAIN_PEM -password pass:$ CERT_PW 将此脚本放在/etc/letsencrypt/renewal-hooks/deploy/auto_pfx.sh中
别忘了使用 chmod!.如果脚本不是可执行脚本,则会被忽略.
On same machine is running Apache on port 80 and Tomcat on port 8080.
Apache include html;css;js; files and make calls to tomcat services.
Basically exampledomain.com calls exampledomain.com:8080 to receive data.
Now i upgraded the protocol from http to https using Let's Encrypt certbot to generate the certificate, this certificate will be updated every 3 months by certbot. Apache is running fine on port 443 but Tomcat still use port 8080, i can use same certificate to run tomcat on port 8443 but.. for doing this the certificate needs to be converted to Java Keystore.
My question is, if i will convert the certificate it will expire after 3 month and i need to convert the new generated certificate by certbot to Java Keystore again ?
Yes, you have to convert the certificate every time it expires.
Tomcat accept .jks and .pfx certificates and you can make it easy to autoconvert everytime certbot generates new certificate by writing a script and make it run with certbot renewal-hooks.
Script:
#!/bin/bash
# Adjust these variables as necessary
# Where you want to final PKCS12 file to be stored.
CERT_PATH="/opt/app/certificate.pfx"
# Password to encrypt the PKCS12 file.
CERT_PW="ShoobyDooby"
# Path to LE files, RENEWED_LINEAGE provided by CertBot
PRIV_KEY_PEM="$RENEWED_LINEAGE/privkey.pem"
CERT_PEM="$RENEWED_LINEAGE/cert.pem"
CHAIN_PEM="$RENEWED_LINEAGE/chain.pem"
# If there's already a .pfx file, back it up
if [[ -f "$CERT_PATH" ]]; then
now=`date +%Y-%m-%d-%T`
mv $CERT_PATH $CERT_PATH.bak.$now
fi
# Le Conversion
openssl pkcs12 -export -out $CERT_PATH -inkey $PRIV_KEY_PEM -in $CERT_PEM -certfile $CHAIN_PEM -password pass:$CERT_PW
Place this script in /etc/letsencrypt/renewal-hooks/deploy/auto_pfx.sh
Don't forget to chmod! If the script isn't executable, it's ignored.
Automatic PKCS12 Conversion for Let's Encrypt Certificates
这篇关于使用我们对Apache和Apache Tomcat进行加密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
