我已经扫描了SO,发现没有关于如何在glassfish上安装letsencrypt.org SSL证书的详细说明,特别是在本教程中我将使用glassfish 4.1.2 build 1.经过大量的反复试验,我能够把它放在一起以下指南。所以我希望可以提出并回答我自己的问题。
在本教程中,我将使用Ubuntu 16.04 LTS服务器,从我的Ubuntu 16.04 LTS桌面访问Shell。
visit certbot and follow the instructions below to setup your system
安装
在Ubuntu系统上,Certbot团队维护PPA。将它添加到存储库列表后,您需要做的就是获取以下软件包。
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot
入门
由于您的服务器体系结构尚不支持自动安装,因此您必须使用certonly命令来获取证书。
$ sudo certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
我们在1中选择第一个选项键,然后按Enter键
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel):yoursite.com www.yoursite.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for yoursite.com
http-01 challenge for www.yoursite.com
Select the webroot for yoursite.com:
1: Enter a new webroot
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
Input the webroot for yoursite.com: (Enter 'c' to cancel):/home/yourUsername/glassfish4/glassfish/domains/domain1/docroot
Select the webroot for www.yoursite.com:
1: Enter a new webroot
2: /home/yoursite/glassfish4/glassfish/domains/domain1/docroot
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/yoursite.com/fullchain.pem. Your cert will
expire on 2017-08-21. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
自动续订
您系统上的Certbot软件包附带一个cron作业,可在证书过期之前自动续订。由于Let的加密证书可以使用90天,因此最好利用此功能。您可以通过运行以下命令来测试证书的自动续订:
certbot renew --dry-run
进一步阅读
https://community.letsencrypt.org/t/importing-letsencrypt-into-java-and-glassfish/9711
现在我们导入证书。制作以下脚本并将其保存为yourscriptname.sh以自动执行该过程,然后使用该命令运行它
$ sh yourscriptname.sh
#!/bin/sh
DOMAIN=yoursite.com
#note that changeit is the default keystore password
KEYSTOREPW=changeit
GFDOMAIN=/home/yourUsername/glassfish4/glassfish/domains/domain1
LIVE=/etc/letsencrypt/live/$DOMAIN
mkdir etc
cd etc
sudo openssl pkcs12 -export -in $LIVE/cert.pem -inkey $LIVE/privkey.pem -out cert_and_key.p12 -name myalias -CAfile $LIVE/chain.pem -caname root -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -alias myalias -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo keytool -import -noprompt -trustcacerts -alias root -file $LIVE/chain.pem -keystore keystore.jks -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name glassfish-instance -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias glassfish-instance -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name s1as -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias s1as -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo keytool -list -keystore keystore.jks -storepass $KEYSTOREPW
sudo cp -f keystore.jks $GFDOMAIN/config/
sudo service glassfish stop
sudo service glassfish start
cd ..
sudo rm -rf etc
使用keytool命令。如果它不起作用,您可能需要将cd指向它位于glassfish-install-dir/glassfish/domains/domain1/config目录中的路径并在该目录中运行该命令。
keytool -storepasswd -keystore /path/to/keystore
Enter keystore password: changeit
New keystore password: new-password
Re-enter new keystore password: new-password
在成功导入证书并重新启动glassfish服务器之后,SSL使用已安装的Web应用程序,但遗憾的是我无法从浏览器登录glassfish管理控制台,尽管asadmin tool仍然有效。
我们需要在我们的脚本中添加wget命令,以便从recent trusted ca revisions from mozilla下载每个出现日期的最新CA文件修订版本
将以下内容添加到命令yourname.sh上方的sudo service glassfish stop脚本中以解决问题。
wget https://curl.haxx.se/ca/cacert-2017-01-18.pem --no-check-certificate -O cacert.pem
PEM_FILE=cacert.pem
KEYSTORE=cacerts.jks
CERTS=$(grep 'END CERTIFICATE' $PEM_FILE| wc -l)
for N in $(seq 0 $(($CERTS -1))); do
ALIAS="${PEM_FILE%.*}-$N"
cat $PEM_FILE | awk "n==$N { print }; /END CERTIFICATE/ { n++ }" |
keytool -noprompt -import -trustcacerts \
-alias $ALIAS -keystore $KEYSTORE -storepass $KEYSTOREPW
done
sudo keytool -list -keystore keystore.jks -storepass $KEYSTOREPW
sudo keytool -list -keystore cacerts.jks -storepass $KEYSTOREPW
if [ ! -f $GFDOMAIN/config/keystore-orig.jks ]; then
echo "Backing up original files..."
sudo cp -f $GFDOMAIN/config/keystore.jks $GFDOMAIN/config/keystore-orig.jks
sudo cp -f $GFDOMAIN/config/cacerts.jks $GFDOMAIN/config/cacerts-orig.jks
fi
echo "Updating certificates..."
sudo cp -f keystore.jks $GFDOMAIN/config/keystore.jks
sudo cp -f cacerts.jks $GFDOMAIN/config/cacerts.jks
cd ..
echo stop and restart glassfish domain to complete
cd ..
sudo rm -rf etc
我希望这可以帮助所有人欢呼!