Hi Johan, Thank you for the information. A few things, I'm running Tomcat on a Windows machine as a windows server. I'm not running as root, I was talking about the ROOT directory under Tomcat's webapps directory. So that when letsencrpt logs into my domain/.well-known/acme-challenge, which is where they are looking for the authentication token. they just retrieve the authentication file. I'll look at your approach using Windows.
Don On Fri, Oct 27, 2017 at 10:37 AM, Johan Compagner <jcompag...@servoy.com> wrote: > On 27 October 2017 at 15:05, Don Flinn <fl...@alum.mit.edu> wrote: > > > Hi Andre, > > > > I have looked and it may be my ignorance but I didn't find any that > seemed > > to fit. I'll look more closely at the available letsencrypt clients. > > > > With letsencrypt you first have to authenticate, i.e. show you own the > > site, by letsencrypt logging into your site, e.g. Tomcat and checking a > > token. Then the Java program can get the letsencrypt certificate. There > > are two different addresses Tomcat on AWS and the node, which is running > > the Java program. > > > > I've set Tomcat to listen on port 80 and put the directory structure they > > want in Tomcat ROOT. The Java program, running on my node, gets the > > letsencrypt authentication token and ftp's it to Tomcat > > ROOT/.well-known/acme-challenge, which is the directory structure they > > expect. letsencryt then authenticates the token which is in Tomcat, by > > retrieving it . The program lets letsencrypt know when the ftp is done > The > > Java program then retrieves the certificate from letsencrypt, puts it in > a > > keystore, ftp's the keystore to AWS in the directory in which I've set > > Tomcat to look for the keystore. It's all done from the one Java > program, > > which I can run from my node. I have yet to incorporate programically > > inserting the certificate into the keystore. All the other steps are > > working. It needs testing and doing the update of the certificate, which > > is pretty much the same steps as already programmed. > > > > Don > > > > > > i just set this up a few day ago > > But all the current scripts out there are working for the most part > Also running tomcat at root is not a good idea you can just use ip tables > for that: > > sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port > 8080 > sudo iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-port > 8443 > > so when tomcat is running on port 8080 and 8440 with iptables you route > those port also to 80/443 > > so no need to change anything in tomcat > > besides that i just use certbot-auto > > wget https://dl.eff.org/certbot-auto > sudo chmod a+x certbot-auto > > sudo ./certbot-auto --debug -v --server > https://acme-v01.api.letsencrypt.org/directory certonly -d your.domain.com > > > you have to have a ROOT webapp in tomcat for this and with certbot you just > point to that tomcat/webapps/ROOT dir > > and the certificates are there. > > > then the only thing todo left is to convert it and place it in the right > folder (and i guess the first time you have to change also the owner/group > because that file will be root:root) > > > sudo openssl pkcs12 -export -out tomcat/conf/bundle.pfx -inkey > /etc/letsencrypt/live/your.domain.com/privkey.pem > <http://build.servoy.com/privkey.pem> -in /etc/letsencrypt/live/ > your.domain.com/cert.pem <http://build.servoy.com/cert.pem> -certfile > /etc/letsencrypt/live/your.domain.com/chain.pem > <http://build.servoy.com/chain.pem> -password pass:apassword > > > and you have your first certificate in a format tomcat/java understand > > > then only a crontab under root: > > > #!/bin/sh > /home/ec2-user/certbot-auto renew > openssl pkcs12 -export -out /tomcat/conf/bundle.pfx -inkey > /etc/letsencrypt/live/your.domain.com/privkey.pem > <http://build.servoy.com/privkey.pem> -in /etc/letsencrypt/live/ > your.domain.com/cert.pem <http://build.servoy.com/cert.pem> -certfile > /etc/letsencrypt/live//your.domain.com/chain.pem > <http://build.servoy.com/chain.pem> -password pass:apassword > > > and you are done > > > The only thing that i need to investigate is to only call the openssl in > the cron tab when the certbot did renew and then also restart tomcat (as > long as tomcat doesn't auto pick it up) >
