Difference between revisions of "LetsEncrypt SSL"

From TempusServa wiki
Jump to navigation Jump to search
old>Admin
m (41 revisions imported)
 
(26 intermediate revisions by one other user not shown)
Line 1: Line 1:


THIS PAGE IS UNDER DEVELOPMENT AND IS NOT YET COMPLETE
THIS PAGE IS UNDER DEVELOPMENT AND IS NOT YET COMPLETE
== Tomcat 7 automatic installation ==
Using the TS commandline tools, you specify the domain and your email
  tsinstallssl.sh server.acme.com sslresponsible@acme.com
After a couple of minutes you will be rquired to enter the domain an email again, and accept the terms of service
== Tomcat 7 manual installation ==


=== Install and configure letsencrypt ===
=== Install and configure letsencrypt ===
Download an build certbot (letsencrypt client)
Download an build certbot (letsencrypt client)


   sudo yum install python27-devel git
   <s>sudo yum -y install python27-devel git</s> (deprecated)
 
  sudo yum -y install python36 python36-pip
  sudo yum -y install git-all
   sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
   sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
   /opt/letsencrypt/letsencrypt-auto --debug
   /opt/letsencrypt/letsencrypt-auto --debug --agree-tos


Create a config file  
Create a config file  
Line 36: Line 48:
Edit Tomcat configuration
Edit Tomcat configuration


  sudo nano  /usr/share/tomcat7/conf/server.xml
sudo nano  /usr/share/tomcat7/conf/server.xml


           <Connector
           <Connector
Line 46: Line 58:
           clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"/>
           clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"/>


Finally reboot the server
Reboot the server
 
service tomcat7 restart
 
== Automated renewals ==
 
Before starting test that the renewal process works
 
/opt/letsencrypt/letsencrypt-auto renew --dry-run
 
Make sure the path is accessible from cron
 
  sudo chmod go+x /etc/letsencrypt/archive
  sudo chmod go+x /etc/letsencrypt/live
 
Make a script file
 
sudo nano /usr/bin/tsrefreshcerts.sh
 
.... containing the following commands
 
/opt/letsencrypt/letsencrypt-auto renew
cd /etc/letsencrypt/live/letsencrypt.tempusserva.dk
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:TempusServaSecret
/usr/bin/tstomcatrestart.sh
 
Now add a job to the crontab
 
  sudo crontab -l > tempcron
  echo "0 0 1 * * /usr/bin/tsrefreshcerts.sh" >> tempcron
  sudo crontab tempcron
  rm tempcron 
 
=== Problems with Amazon Linux ? ===
In case the autorenewal process fails try updating the dependencies and pip
 
  sudo /opt/eff.org/certbot/venv/bin/pip2 install cryptography zope interface
  sudo /opt/eff.org/certbot/venv/bin/pip2 install --upgrade pip
  sudo rsync -avz /opt/eff.org/certbot/venv/lib64/python2.7/dist-packages/ /opt/eff.org/certbot/venv/lib/python2.7/dist-packages/
 
 
 
=== Still got problems with Amazon Linux ? ===
In case certbot cant find the root folder try and run it manually
 
  sudo /opt/letsencrypt/letsencrypt-auto certonly
 
Choose the following values when prompted
 
  2: Place files in webroot directory (webroot)
  <domain> 
  2: Renew & replace the cert (may be subject to CA rate limits)
  /usr/share/tomcat7/webapps/ROOT/
 
 
=== Need manual crontab install ? ===
Steps
* sudo crontab -e
* press INSERT
* move to bottom of file
* paste this
 
  0 0 1 * * /usr/bin/tsrefreshcerts.sh


    service tomcat7 restart
* press ESC
* press :wq

Latest revision as of 12:06, 10 December 2021

THIS PAGE IS UNDER DEVELOPMENT AND IS NOT YET COMPLETE

Tomcat 7 automatic installation

Using the TS commandline tools, you specify the domain and your email

  tsinstallssl.sh server.acme.com sslresponsible@acme.com

After a couple of minutes you will be rquired to enter the domain an email again, and accept the terms of service

Tomcat 7 manual installation

Install and configure letsencrypt

Download an build certbot (letsencrypt client)

  sudo yum -y install python27-devel git (deprecated)
  sudo yum -y install python36 python36-pip
  sudo yum -y install git-all
  sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
  /opt/letsencrypt/letsencrypt-auto --debug --agree-tos

Create a config file

  sudo touch /etc/letsencrypt/config.ini
  sudo chmod 777 /etc/letsencrypt/config.ini
  sudo echo "rsa-key-size = 4096" >> /etc/letsencrypt/config.ini
  sudo echo "email = kpe@tempusserva.dk" >> /etc/letsencrypt/config.ini

Generate PKCS12 certificate

Generate a certificate

  sudo mkdir /usr/share/tomcat7/webapps/ROOT
  /opt/letsencrypt/letsencrypt-auto certonly --debug --webroot -w /usr/share/tomcat7/webapps/ROOT -d letsencrypt.tempusserva.dk --config /etc/letsencrypt/config.ini --agree-tos 

Convert to pkcs12 format

  sudo -s
  cd /etc/letsencrypt/live/letsencrypt.tempusserva.dk
  openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:TempusServaSecret
  chmod 755 bundle.pfx
  chmod 755 /etc/letsencrypt/live
  Press: ctrl + d

Install certificate in Tomcat

Edit Tomcat configuration

sudo nano  /usr/share/tomcat7/conf/server.xml
          <Connector
          protocol="org.apache.coyote.http11.Http11NioProtocol"
          port="8443" maxThreads="200"
          scheme="https" secure="true" SSLEnabled="true"
          keystoreFile="/etc/letsencrypt/live/letsencrypt.tempusserva.dk/bundle.pfx" keystorePass="TempusServaSecret"
          ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"
          clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"/>

Reboot the server

service tomcat7 restart

Automated renewals

Before starting test that the renewal process works

/opt/letsencrypt/letsencrypt-auto renew --dry-run

Make sure the path is accessible from cron

 sudo chmod go+x /etc/letsencrypt/archive
 sudo chmod go+x /etc/letsencrypt/live

Make a script file

sudo nano /usr/bin/tsrefreshcerts.sh

.... containing the following commands

/opt/letsencrypt/letsencrypt-auto renew
cd /etc/letsencrypt/live/letsencrypt.tempusserva.dk
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:TempusServaSecret
/usr/bin/tstomcatrestart.sh

Now add a job to the crontab

 sudo crontab -l > tempcron
 echo "0 0 1 * * /usr/bin/tsrefreshcerts.sh" >> tempcron
 sudo crontab tempcron
 rm tempcron   

Problems with Amazon Linux ?

In case the autorenewal process fails try updating the dependencies and pip

 sudo /opt/eff.org/certbot/venv/bin/pip2 install cryptography zope interface 
 sudo /opt/eff.org/certbot/venv/bin/pip2 install --upgrade pip
 sudo rsync -avz /opt/eff.org/certbot/venv/lib64/python2.7/dist-packages/ /opt/eff.org/certbot/venv/lib/python2.7/dist-packages/


Still got problems with Amazon Linux ?

In case certbot cant find the root folder try and run it manually

 sudo /opt/letsencrypt/letsencrypt-auto certonly

Choose the following values when prompted

 2: Place files in webroot directory (webroot)
 <domain>  
 2: Renew & replace the cert (may be subject to CA rate limits)
 /usr/share/tomcat7/webapps/ROOT/


Need manual crontab install ?

Steps

  • sudo crontab -e
  • press INSERT
  • move to bottom of file
  • paste this
  0 0 1 * * /usr/bin/tsrefreshcerts.sh
  • press ESC
  • press :wq