Glassfish ssl installation with certbot

问题

I am new to glassfish and ssl. I am using a ubuntu 14.04 server and downloaded certbot. Since glassfish server is not supported by certbot automation, i installed a certbot-auto standalone and got my new certificate files (cert1.pem chain1.pem fullchain1.pem privkey1.pem). I saw some tutorials online about installing ssl on glassfish but nothing related to certbot .pem certificates. Is there a good tutorial or instructions about installing glassfish ssl with the generated letsencrypt (.pem) certificates that i can follow.

Thanks in advance

回答1:

Concerning the certbot glassfish issue, the solution can be done as follows: Replace all the [##] with the appropriate values and save the batch file then run it

#!/bin/sh

#replace [##] with the correct value

#Alias of the certificate
NAME=[##]
#The current domain registered in letsencrypt
DOMAIN=[##]
#The keystore password, default is (changeit)
KEYSTOREPW=[##]
#Glassfish server location e.g. /home/glassfish/domains/domain1
GFDOMAIN=[##]
LIVE=/etc/letsencrypt/live/$DOMAIN

mkdir etc
cd etc

sudo openssl pkcs12 -export -in $LIVE/cert.pem -inkey $LIVE/privkey.pem -out cert_and_key.p12 -name $NAME -CAfile $LIVE/chain.pem -caname root -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -alias $NAME -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo keytool -import -noprompt -trustcacerts -alias root -file $LIVE/chain.pem -keystore keystore.jks -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW

sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name glassfish-instance -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias glassfish-instance -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW

sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name s1as -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias s1as -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW


sudo openssl pkcs12 -export -in $LIVE/cert.pem -inkey $LIVE/privkey.pem -out cert_and_key.p12 -name $NAME -CAfile $LIVE/chain.pem -caname root -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore cacerts.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -alias $NAME -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo keytool -import -noprompt -trustcacerts -alias root -file $LIVE/chain.pem -keystore cacerts.jks -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW

sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name glassfish-instance -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore cacerts.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias glassfish-instance -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW

sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name s1as -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore cacerts.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias s1as -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW


# ====== Download latest list of cacert and import it into the cacerts.jks ========== #

wget https://curl.haxx.se/ca/cacert.pem --no-check-certificate -O cacert.pem

PEM_FILE=cacert.pem
KEYSTORE=cacerts.jks
# number of certs in teh PEM file
CERTS=$(grep 'END CERTIFICATE' $PEM_FILE| wc -l)

# For every cert in the PEM file, extract it and import into the JKS keystore
# awk command: step 1, if line is in the desired cert, print the line
#              step 2, increment counter when last line of cert is found
for N in $(seq 0 $(($CERTS - 1))); do
  ALIAS="${PEM_FILE%.*}-$N"
  cat $PEM_FILE |
    awk "n==$N { print }; /END CERTIFICATE/ { n++ }" |
    keytool -noprompt -import -trustcacerts \
            -alias $ALIAS -keystore $KEYSTORE -storepass $KEYSTOREPW
done

# ==================================================================================== #


sudo keytool -list -keystore keystore.jks -storepass $KEYSTOREPW
sudo keytool -list -keystore cacerts.jks -storepass $KEYSTOREPW

if [ ! -f $GFDOMAIN/config/keystore-orig.jks ]; then
echo "Backing up original files..."
sudo cp -f $GFDOMAIN/config/keystore.jks $GFDOMAIN/config/keystore-orig.jks
sudo cp -f $GFDOMAIN/config/cacerts.jks $GFDOMAIN/config/cacerts-orig.jks
fi

echo "Updating certificates..."
sudo cp -f keystore.jks $GFDOMAIN/config/keystore.jks
sudo cp -f cacerts.jks $GFDOMAIN/config/cacerts.jks

cd ..

sudo rm -rf etc

回答2:

Here is a good tutorial on Let's Encrypt, Glassfish and AWS EC2.

To highlight the keypoints(in case the link in not valid anymore):

It follows the certbot documentation described on their website upto

certbot certonly --manual -d example.com

Then comes the important part w.r.t. glassfish

Installing the certificate on Glassfish

Glassfish has a file called keystore.jks, where you need to add the certificate and key which were previously created. The file should be located at:

<AS_HOME>/domains/domain1/config/keystore.jks

and the default password for it is 'changeit'

Adding the two files to the keystore is a 2-step process: Change directory to glassfish config directory

cd <AS_HOME>/domains/domain1/config/

Create a keystore from the 2 files

Create a .pkcs12 file containing full chain and private key

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name letsencryptcrt

You will set a password for this file, which you will need to specify at the next step (STORE_PASS).

Convert PKCS12 to Keystore

  keytool -importkeystore -deststorepass PASSWORD_STORE -destkeypass PASSWORD_KEYPASS -destkeystore letsencrypt.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass STORE_PASS -alias letsencryptcrt

I would recommend setting all these passwords (PASSWORD_STORE, PASSWORD_KEYPASS and STORE_PASS) the same as the original keystore.jks’s password since, at the next point, the passwords of the source and destination keystores’ have to be the same.

Import the created keystore into Glassfish’s keystore

keytool -importkeystore -srckeystore letsencrypt.jks -destkeystore keystore.jks

Of course, make sure the paths to all the referenced files are correct, taking into account the current directory, when you are running all these commands.

Configuring the Glassfish HTTPS listener

Now that everything is setup, all you need to do is log into the Glassfish Admin Console and set the appropriate HTTP Listener.

Glassfish has 3 HTTP listeners predefined, under

Configuration > server-config > HTTP Service > HTTP Listeners.

http-listener-2 is the one for HTTPS. The following 2 settings need to be done:

Set the port to 443 (HTTPS port)
In the SSL tab, set the Certificate NickName to letsencryptcrt and the Key Store to keystore.jks

Click “Save”, restart the Glassfish instance and you’re done. You should now be able to access any deployed application via https://example.com/...

来源：https://stackoverflow.com/questions/40069423/glassfish-ssl-installation-with-certbot