Difference between revisions of "LetsEncrypt SSL"
old>Admin |
m (41 revisions imported) |
||
(34 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
THIS PAGE IS | THIS PAGE IS UNDER DEVELOPMENT AND IS NOT YET COMPLETE | ||
== | == Tomcat 7 automatic installation == | ||
Using the TS commandline tools, you specify the domain and your email | |||
tsinstallssl.sh server.acme.com sslresponsible@acme.com | |||
After a couple of minutes you will be rquired to enter the domain an email again, and accept the terms of service | |||
== Tomcat 7 manual installation == | |||
=== Install and configure letsencrypt === | |||
Download an build certbot (letsencrypt client) | |||
<s>sudo yum -y install python27-devel git</s> (deprecated) | |||
sudo yum install | sudo yum -y install python36 python36-pip | ||
sudo yum -y install git-all | |||
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt | |||
/opt/letsencrypt/letsencrypt-auto --debug --agree-tos | |||
Create a config file | |||
== | sudo touch /etc/letsencrypt/config.ini | ||
sudo chmod 777 /etc/letsencrypt/config.ini | |||
sudo echo "rsa-key-size = 4096" >> /etc/letsencrypt/config.ini | |||
sudo echo "email = kpe@tempusserva.dk" >> /etc/letsencrypt/config.ini | |||
sudo | === Generate PKCS12 certificate === | ||
sudo | Generate a certificate | ||
sudo mkdir /usr/share/tomcat7/webapps/ROOT | |||
/opt/letsencrypt/letsencrypt-auto certonly --debug --webroot -w /usr/share/tomcat7/webapps/ROOT -d letsencrypt.tempusserva.dk --config /etc/letsencrypt/config.ini --agree-tos | |||
Convert to pkcs12 format | |||
sudo -s | |||
cd /etc/letsencrypt/live/letsencrypt.tempusserva.dk | |||
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:TempusServaSecret | |||
chmod 755 bundle.pfx | |||
chmod 755 /etc/letsencrypt/live | |||
Press: ctrl + d | |||
=== Install certificate in Tomcat === | |||
Edit Tomcat configuration | |||
sudo nano /usr/share/tomcat7/conf/server.xml | |||
<Connector | |||
protocol="org.apache.coyote.http11.Http11NioProtocol" | |||
port="8443" maxThreads="200" | |||
scheme="https" secure="true" SSLEnabled="true" | |||
keystoreFile="/etc/letsencrypt/live/letsencrypt.tempusserva.dk/bundle.pfx" keystorePass="TempusServaSecret" | |||
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA" | |||
clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"/> | |||
Reboot the server | |||
service tomcat7 restart | |||
== Automated renewals == | |||
Before starting test that the renewal process works | |||
/opt/letsencrypt/letsencrypt-auto renew --dry-run | |||
Make sure the path is accessible from cron | |||
sudo chmod go+x /etc/letsencrypt/archive | |||
sudo chmod go+x /etc/letsencrypt/live | |||
Make a script file | |||
sudo nano /usr/bin/tsrefreshcerts.sh | |||
.... containing the following commands | |||
/opt/letsencrypt/letsencrypt-auto renew | |||
cd /etc/letsencrypt/live/letsencrypt.tempusserva.dk | |||
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:TempusServaSecret | |||
/usr/bin/tstomcatrestart.sh | |||
Now add a job to the crontab | |||
sudo crontab -l > tempcron | |||
echo "0 0 1 * * /usr/bin/tsrefreshcerts.sh" >> tempcron | |||
sudo crontab tempcron | |||
rm tempcron | |||
=== Problems with Amazon Linux ? === | |||
In case the autorenewal process fails try updating the dependencies and pip | |||
sudo /opt/eff.org/certbot/venv/bin/pip2 install cryptography zope interface | |||
sudo /opt/eff.org/certbot/venv/bin/pip2 install --upgrade pip | |||
sudo rsync -avz /opt/eff.org/certbot/venv/lib64/python2.7/dist-packages/ /opt/eff.org/certbot/venv/lib/python2.7/dist-packages/ | |||
=== Still got problems with Amazon Linux ? === | |||
In case certbot cant find the root folder try and run it manually | |||
sudo /opt/letsencrypt/letsencrypt-auto certonly | |||
Choose the following values when prompted | |||
2: Place files in webroot directory (webroot) | |||
<domain> | |||
2: Renew & replace the cert (may be subject to CA rate limits) | |||
/usr/share/tomcat7/webapps/ROOT/ | |||
=== Need manual crontab install ? === | |||
Steps | |||
* sudo crontab -e | |||
* press INSERT | |||
* move to bottom of file | |||
* paste this | |||
0 0 1 * * /usr/bin/tsrefreshcerts.sh | |||
* press ESC | |||
* press :wq |
Latest revision as of 12:06, 10 December 2021
THIS PAGE IS UNDER DEVELOPMENT AND IS NOT YET COMPLETE
Tomcat 7 automatic installation
Using the TS commandline tools, you specify the domain and your email
tsinstallssl.sh server.acme.com sslresponsible@acme.com
After a couple of minutes you will be rquired to enter the domain an email again, and accept the terms of service
Tomcat 7 manual installation
Install and configure letsencrypt
Download an build certbot (letsencrypt client)
sudo yum -y install python27-devel git(deprecated)
sudo yum -y install python36 python36-pip sudo yum -y install git-all sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt /opt/letsencrypt/letsencrypt-auto --debug --agree-tos
Create a config file
sudo touch /etc/letsencrypt/config.ini sudo chmod 777 /etc/letsencrypt/config.ini sudo echo "rsa-key-size = 4096" >> /etc/letsencrypt/config.ini sudo echo "email = kpe@tempusserva.dk" >> /etc/letsencrypt/config.ini
Generate PKCS12 certificate
Generate a certificate
sudo mkdir /usr/share/tomcat7/webapps/ROOT /opt/letsencrypt/letsencrypt-auto certonly --debug --webroot -w /usr/share/tomcat7/webapps/ROOT -d letsencrypt.tempusserva.dk --config /etc/letsencrypt/config.ini --agree-tos
Convert to pkcs12 format
sudo -s
cd /etc/letsencrypt/live/letsencrypt.tempusserva.dk openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:TempusServaSecret chmod 755 bundle.pfx chmod 755 /etc/letsencrypt/live
Press: ctrl + d
Install certificate in Tomcat
Edit Tomcat configuration
sudo nano /usr/share/tomcat7/conf/server.xml
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/etc/letsencrypt/live/letsencrypt.tempusserva.dk/bundle.pfx" keystorePass="TempusServaSecret" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA" clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"/>
Reboot the server
service tomcat7 restart
Automated renewals
Before starting test that the renewal process works
/opt/letsencrypt/letsencrypt-auto renew --dry-run
Make sure the path is accessible from cron
sudo chmod go+x /etc/letsencrypt/archive sudo chmod go+x /etc/letsencrypt/live
Make a script file
sudo nano /usr/bin/tsrefreshcerts.sh
.... containing the following commands
/opt/letsencrypt/letsencrypt-auto renew cd /etc/letsencrypt/live/letsencrypt.tempusserva.dk openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:TempusServaSecret /usr/bin/tstomcatrestart.sh
Now add a job to the crontab
sudo crontab -l > tempcron echo "0 0 1 * * /usr/bin/tsrefreshcerts.sh" >> tempcron sudo crontab tempcron rm tempcron
Problems with Amazon Linux ?
In case the autorenewal process fails try updating the dependencies and pip
sudo /opt/eff.org/certbot/venv/bin/pip2 install cryptography zope interface sudo /opt/eff.org/certbot/venv/bin/pip2 install --upgrade pip sudo rsync -avz /opt/eff.org/certbot/venv/lib64/python2.7/dist-packages/ /opt/eff.org/certbot/venv/lib/python2.7/dist-packages/
Still got problems with Amazon Linux ?
In case certbot cant find the root folder try and run it manually
sudo /opt/letsencrypt/letsencrypt-auto certonly
Choose the following values when prompted
2: Place files in webroot directory (webroot) <domain> 2: Renew & replace the cert (may be subject to CA rate limits) /usr/share/tomcat7/webapps/ROOT/
Need manual crontab install ?
Steps
- sudo crontab -e
- press INSERT
- move to bottom of file
- paste this
0 0 1 * * /usr/bin/tsrefreshcerts.sh
- press ESC
- press :wq