Difference between revisions of "LetsEncrypt SSL"
Jump to navigation
Jump to search
old>Admin |
old>Admin |
||
| Line 72: | Line 72: | ||
cd /etc/letsencrypt/live/letsencrypt.tempusserva.dk | cd /etc/letsencrypt/live/letsencrypt.tempusserva.dk | ||
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:TempusServaSecret | openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:TempusServaSecret | ||
/usr/bin/tstomcatrestart.sh | |||
Now add a job to the crontab | Now add a job to the crontab | ||
Revision as of 10:54, 27 April 2020
THIS PAGE IS UNDER DEVELOPMENT AND IS NOT YET COMPLETE
Tomcat 7 installation
Install and configure letsencrypt
Download an build certbot (letsencrypt client)
sudo yum -y install python27-devel git sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt /opt/letsencrypt/letsencrypt-auto --debug
Create a config file
sudo touch /etc/letsencrypt/config.ini sudo chmod 777 /etc/letsencrypt/config.ini sudo echo "rsa-key-size = 4096" >> /etc/letsencrypt/config.ini sudo echo "email = kpe@tempusserva.dk" >> /etc/letsencrypt/config.ini
Generate PKCS12 certificate
Generate a certificate
sudo mkdir /usr/share/tomcat7/webapps/ROOT /opt/letsencrypt/letsencrypt-auto certonly --debug --webroot -w /usr/share/tomcat7/webapps/ROOT -d letsencrypt.tempusserva.dk --config /etc/letsencrypt/config.ini --agree-tos
Convert to pkcs12 format
sudo -s
cd /etc/letsencrypt/live/letsencrypt.tempusserva.dk openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:TempusServaSecret chmod 755 bundle.pfx chmod 755 /etc/letsencrypt/live
Press: ctrl + d
Install certificate in Tomcat
Edit Tomcat configuration
sudo nano /usr/share/tomcat7/conf/server.xml
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/etc/letsencrypt/live/letsencrypt.tempusserva.dk/bundle.pfx" keystorePass="TempusServaSecret"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"
clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"/>
Reboot the server
service tomcat7 restart
Automated renewals
Before starting test that the renewal process works
/opt/letsencrypt/letsencrypt-auto renew --dry-run
Make sure the path is accessible from cron
sudo chmod go+x /etc/letsencrypt/archive sudo chmod go+x /etc/letsencrypt/live
Make a script file
sudo nano /usr/bin/tsrefreshcerts.sh
.... containing the following commands
/opt/letsencrypt/letsencrypt-auto renew cd /etc/letsencrypt/live/letsencrypt.tempusserva.dk openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:TempusServaSecret /usr/bin/tstomcatrestart.sh
Now add a job to the crontab
sudo crontab -l > tempcron echo "0 0 1 * * /usr/bin/tsrefreshcerts.sh" >> tempcron sudo crontab tempcron rm tempcron
Problems with Amazon Linux ?
In case the autorenewal process fails try updating the dependencies and pip
sudo /opt/eff.org/certbot/venv/bin/pip2 install cryptography zope interface sudo /opt/eff.org/certbot/venv/bin/pip2 install --upgrade pip sudo rsync -avz /opt/eff.org/certbot/venv/lib64/python2.7/dist-packages/ /opt/eff.org/certbot/venv/lib/python2.7/dist-packages/