如何将letsencrypt free ssl安装到glassfish 4.x服务器 [英] How to install letsencrypt free ssl to glassfish 4.x server
问题描述
我已经扫描过,发现没有关于如何安装 letsencrypt.org 的详细说明glassfish上的SSL证书,特别是在本教程中,我将使用glassfish 4.1.2 build 1.经过大量的试验和错误之后,我可以将以下指南放在一起。所以我希望可以提出问题并回答我自己的问题。
在本教程中,我将使用Ubuntu 16.04 LTS服务器,并通过我的Ubuntu 16.04 LTS桌面。
安装
在Ubuntu系统上,Certbot团队维护一个PPA。将它添加到您的
列表中后,您需要做的就是apt-get下列软件包。
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot / certbot
$ sudo apt-get update
$ sudo apt-get install certbot
开始使用
由于您的服务器架构尚不支持自动安装
,您必须使用certonly命令来获取您的证书。
$ sudo certbot certonly
终端将输出
将调试日志保存到/var/log/letsencrypt/letsencrypt.log
您想如何验证ACME CA?
1:将文件放入webroot目录(webroot)
2:启动临时web服务器(独立)
选择合适的编号[1-2],然后按[enter](按'c'取消):1
我们在1中选择第一个选项键,然后按回车键
$ b $
终端将输出
启动新的HTTPS连接(1):acme-v01.api .letsencrypt.org
请输入您的域名(逗号和/或空格分隔)(输入'c'
取消):yoursite.com www.yoursite.com
获得新证书
执行以下挑战:
对yoursite.com的http-01挑战
对www.yoursite.com的http-01挑战
终端会输出
选择您的webroot .com:
:输入一个新的webroot
按1 [enter]确认选择(按'c'取消):1
输入webroot for yoursite.com :(输入'c'取消):/ ho我/ yourUsername / glassfish4 / glassfish / domains / domain1 / docroot
选择www.yoursite.com的webroot:
1:输入一个新的webroot
2:/ home / yoursite / glassfish4 / glassfish / domains / domain1 / docroot
选择合适的数字[1-2],然后按[enter](按'c'取消):2
等待验证...
清除挑战
生成密钥(2048位):/etc/letsencrypt/keys/0000_key-certbot.pem
创建CSR :/etc/letsencrypt/csr/0000_csr-certbot.pem
终端会输出
重要注意事项:
- 恭喜!您的证书和链条已保存在
/etc/letsencrypt/live/yoursite.com/fullchain.pem。您的证书
将于2017-08-21到期。为了在将来获得此
证书的新版本或调整版本,只需再次运行certbot。以
非交互式续期*全部*您的证书,运行certbot
renew
自动续订
系统上的Certbot软件包附带cron作业,可在您的证书过期前自动续订。自从让我们将证书最后加密90天后,最好利用此功能。您可以运行以下命令来测试证书的自动续订:
certbot renew --dry-run
code>
使以下脚本可以自动将证书导入glassfish
阅读
https://community.letsencrypt.org/t/importing-letsencrypt-into-java-and-glassfish/9711
现在我们导入证书。
制作以下脚本并将其保存为 yourscriptname.sh
以自动执行该过程,然后使用命令运行它
$ sh yourscriptname.sh
#!/ bin / sh
DOMAIN = yoursite.com
#note changeit是默认密钥库密码
KEYSTOREPW = changeit
GFDOMAIN = / home / yourUsername / glassfish4 / glassfish / domains / domain1
LIVE = / etc / letsencrypt / live / $ DOMAIN
mkdir etc
cd etc
sudo openssl pkcs12 -export -in $ LIVE / cert.pem -inkey $ LIVE / privkey.pem -out cert_and_key.p12 - 名称myalias -CAfile $ LIVE / chain.pem -caname root -password pass:$ KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -alias myalias -srcstorepass $ KEYSTOREPW -deststorepass $ KEYSTOREPW - destkeypass $ KEYSTOREPW
sudo keytool -import -noprompt -trustcacerts -alias root -file $ LIVE / chain.pem -keystore keystore.jks -srcstorepass $ KEYSTOREPW -deststorepass $ KEYS TOREPW -destkeypass $ KEYSTOREPW
sudo openssl pkcs12 -export -in $ LIVE / fullchain.pem -inkey $ LIVE / privkey.pem -out pkcs.p12 -name glassfish-instance -password pass:$ KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias glassfish-instance -srcstorepass $ KEYSTOREPW -deststorepass $ KEYSTOREPW -destkeypass $ KEYSTOREPW
sudo openssl pkcs12 -export -in $ LIVE / fullchain.pem -inkey $ LIVE / privkey.pem -out pkcs.p12 -name s1as -password pass:$ KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias s1as -srcstorepass $ KEYSTOREPW -deststorepass $ KEYSTOREPW -destkeypass $ KEYSTOREPW
sudo keytool -list -keystore keystore.jks -storepass $ KEYSTOREPW
sudo cp -f keystore.jks $ GFDOMAIN / config /
sudo service glassfish stop
sudo service glassfish start
cd ..
sudo rm -rf etc
if您需要更改密钥库密码
使用keytool命令。如果它不起作用,您可能必须 cd
到它位于 glassfish-install-dir / glassfish / domains / domain1 / config
目录并运行该目录中的命令。
keytool -storepasswd -keystore / path / to / keystore
输入密钥库密码:changeit
新的密钥库密码:new-password
重新输入新的密钥库密码:new-password
成功导入证书并重新启动glassfish服务器后,SSL与安装的Web应用程序一起工作,但不幸的是,我无法从浏览器登录到glassfish管理控制台,尽管 asadmin工具
仍然有效。
解决上述更改后无法登录管理控制台
我们需要将wget命令添加到我们的脚本中,以便从 mozilla最近信任的ca版本
将以下内容添加到 yourname中。 sh
脚本就在命令 sudo service glassfish stop
上面修正问题。
wget https://curl.haxx.se/ca/cacert-2017-01-18.pem --no-check-certificate -O cacert.pem
PEM_FILE = cacert.pem
KEYSTORE = cacerts.jks
CERTS = $(grep'END CERTIFICATE'$ PEM_FILE | wc -l)
for $ in $(seq 0 $(($ CERTS -1)));做
ALIAS =$ {PEM_FILE%。*} - $ N
cat $ PEM_FILE | awkn == $ N {print}; / END CERTIFICATE / {n ++}|
keytool -noprompt -import -trustcacerts \
-alias $ ALIAS -keystore $ KEYSTORE -storepass $ KEYSTOREPW
完成
sudo keytool -list -keystore keystore.jks -storepass $ KEYSTOREPW
sudo keytool -list -keystore cacerts.jks -storepass $ KEYSTOREPW
if [! -f $ GFDOMAIN / config / keystore-orig.jks];然后
echo备份原始文件...
sudo cp -f $ GFDOMAIN / config / keystore.jks $ GFDOMAIN / config / keystore-orig.jks
sudo cp -f $ GFDOMAIN / config / cacerts.jks $ GFDOMAIN / config / cacerts-orig.jks
fi
echo更新证书...
sudo cp -f keystore.jks $ GFDOMAIN / config / keystore.jks
sudo cp -f cacerts.jks $ GFDOMAIN / config / cacerts.jks
cd ..
回声停止并重新启动glassfish域来完成
cd ..
sudo rm -rf etc
我希望这可以帮助别人欢呼!
I have scanned SO and found there is no detailed instructions on how to install letsencrypt.org SSL certificate on glassfish and specifically in this tutorial I will be using glassfish 4.1.2 build 1. After a lot of trial and error, I was able to put together the following guide. So I hope that it is fine to ask and answer my own question.
In this tutorial I shall be using an Ubuntu 16.04 LTS Server with Shell access from my Ubuntu 16.04 LTS desktop.
visit certbot and follow the instructions below to setup your system
Install
On Ubuntu systems, the Certbot team maintains a PPA. Once you add it to your list of repositories all you'll need to do is apt-get the following packages.
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot
Get Started
Since your server architecture doesn't yet support automatic installation you'll have to use the certonly command to obtain your certificate.
$ sudo certbot certonly
terminal will output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
We select the 1st option key in 1 and press enter
terminal will output
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel):yoursite.com www.yoursite.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for yoursite.com
http-01 challenge for www.yoursite.com
terminal will output
Select the webroot for yoursite.com:
1: Enter a new webroot
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
Input the webroot for yoursite.com: (Enter 'c' to cancel):/home/yourUsername/glassfish4/glassfish/domains/domain1/docroot
Select the webroot for www.yoursite.com:
1: Enter a new webroot
2: /home/yoursite/glassfish4/glassfish/domains/domain1/docroot
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
terminal will output
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/yoursite.com/fullchain.pem. Your cert will
expire on 2017-08-21. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
Automating renewal
The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:
certbot renew --dry-run
make the following script can automate importing certificate to glassfish
for further reading
https://community.letsencrypt.org/t/importing-letsencrypt-into-java-and-glassfish/9711
Now we import the certificates.
Make the following script and save it as yourscriptname.sh
to automate the process then run it with the command
$ sh yourscriptname.sh
#!/bin/sh
DOMAIN=yoursite.com
#note that changeit is the default keystore password
KEYSTOREPW=changeit
GFDOMAIN=/home/yourUsername/glassfish4/glassfish/domains/domain1
LIVE=/etc/letsencrypt/live/$DOMAIN
mkdir etc
cd etc
sudo openssl pkcs12 -export -in $LIVE/cert.pem -inkey $LIVE/privkey.pem -out cert_and_key.p12 -name myalias -CAfile $LIVE/chain.pem -caname root -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -alias myalias -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo keytool -import -noprompt -trustcacerts -alias root -file $LIVE/chain.pem -keystore keystore.jks -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name glassfish-instance -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias glassfish-instance -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name s1as -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias s1as -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo keytool -list -keystore keystore.jks -storepass $KEYSTOREPW
sudo cp -f keystore.jks $GFDOMAIN/config/
sudo service glassfish stop
sudo service glassfish start
cd ..
sudo rm -rf etc
if you need to change the keystore password
Use keytool command. If it doesn't work you might have to cd
to the path where it's located in your glassfish-install-dir/glassfish/domains/domain1/config
directory and run the command in that directory.
keytool -storepasswd -keystore /path/to/keystore
Enter keystore password: changeit
New keystore password: new-password
Re-enter new keystore password: new-password
After successfully importing the certs and restarting glassfish server, SSL worked with the installed web application but unfortunately I was not able to log into the glassfish admin console from the browser, though the asadmin tool
still worked.
solving unable to login to admin console after above changes
We need to add wget command to our script to download the most Recent CA file revisions per date of apperance from recent trusted ca revisions from mozilla
Add the following to the the yourname.sh
script just above the command sudo service glassfish stop
to fix the problem.
wget https://curl.haxx.se/ca/cacert-2017-01-18.pem --no-check-certificate -O cacert.pem
PEM_FILE=cacert.pem
KEYSTORE=cacerts.jks
CERTS=$(grep 'END CERTIFICATE' $PEM_FILE| wc -l)
for N in $(seq 0 $(($CERTS -1))); do
ALIAS="${PEM_FILE%.*}-$N"
cat $PEM_FILE | awk "n==$N { print }; /END CERTIFICATE/ { n++ }" |
keytool -noprompt -import -trustcacerts \
-alias $ALIAS -keystore $KEYSTORE -storepass $KEYSTOREPW
done
sudo keytool -list -keystore keystore.jks -storepass $KEYSTOREPW
sudo keytool -list -keystore cacerts.jks -storepass $KEYSTOREPW
if [ ! -f $GFDOMAIN/config/keystore-orig.jks ]; then
echo "Backing up original files..."
sudo cp -f $GFDOMAIN/config/keystore.jks $GFDOMAIN/config/keystore-orig.jks
sudo cp -f $GFDOMAIN/config/cacerts.jks $GFDOMAIN/config/cacerts-orig.jks
fi
echo "Updating certificates..."
sudo cp -f keystore.jks $GFDOMAIN/config/keystore.jks
sudo cp -f cacerts.jks $GFDOMAIN/config/cacerts.jks
cd ..
echo stop and restart glassfish domain to complete
cd ..
sudo rm -rf etc
I hope this helps someone cheers all!
这篇关于如何将letsencrypt free ssl安装到glassfish 4.x服务器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!