如何将letsencrypt free ssl安装到glassfish 4.x服务器

Posted 2021-04-07

我已经扫描了SO，发现没有关于如何在glassfish上安装letsencrypt.org SSL证书的详细说明，特别是在本教程中我将使用glassfish 4.1.2 build 1.经过大量的反复试验，我能够把它放在一起以下指南。所以我希望可以提出并回答我自己的问题。

在本教程中，我将使用Ubuntu 16.04 LTS服务器，从我的Ubuntu 16.04 LTS桌面访问Shell。

答案

visit certbot and follow the instructions below to setup your system

安装

在Ubuntu系统上，Certbot团队维护PPA。将它添加到存储库列表后，您需要做的就是获取以下软件包。

$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot 

入门

由于您的服务器体系结构尚不支持自动安装，因此您必须使用certonly命令来获取证书。

$ sudo certbot certonly

terminal will output

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

我们在1中选择第一个选项键，然后按Enter键

terminal will output

Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel):yoursite.com www.yoursite.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for yoursite.com
http-01 challenge for www.yoursite.com

terminal will output

Select the webroot for yoursite.com:


1: Enter a new webroot
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
Input the webroot for yoursite.com: (Enter 'c' to cancel):/home/yourUsername/glassfish4/glassfish/domains/domain1/docroot

Select the webroot for www.yoursite.com:


1: Enter a new webroot
2: /home/yoursite/glassfish4/glassfish/domains/domain1/docroot


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

terminal will output

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/yoursite.com/fullchain.pem. Your cert will
   expire on 2017-08-21. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"

自动续订

您系统上的Certbot软件包附带一个cron作业，可在证书过期之前自动续订。由于Let的加密证书可以使用90天，因此最好利用此功能。您可以通过运行以下命令来测试证书的自动续订：

certbot renew --dry-run

make the following script can automate importing certificate to glassfish

进一步阅读

https://community.letsencrypt.org/t/importing-letsencrypt-into-java-and-glassfish/9711

现在我们导入证书。制作以下脚本并将其保存为yourscriptname.sh以自动执行该过程，然后使用该命令运行它

$ sh yourscriptname.sh

#!/bin/sh

DOMAIN=yoursite.com
#note that changeit is the default keystore password
KEYSTOREPW=changeit
GFDOMAIN=/home/yourUsername/glassfish4/glassfish/domains/domain1
LIVE=/etc/letsencrypt/live/$DOMAIN

mkdir etc
cd etc

sudo openssl pkcs12 -export -in $LIVE/cert.pem -inkey $LIVE/privkey.pem -out cert_and_key.p12 -name myalias -CAfile $LIVE/chain.pem -caname root -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -alias myalias -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo keytool -import -noprompt -trustcacerts -alias root -file $LIVE/chain.pem -keystore keystore.jks -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW

sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name glassfish-instance -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias glassfish-instance -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name s1as -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias s1as -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW

sudo keytool -list -keystore keystore.jks -storepass $KEYSTOREPW

sudo cp -f keystore.jks $GFDOMAIN/config/

sudo service glassfish stop
sudo service glassfish start

cd ..
sudo rm -rf etc

if you need to change the keystore password

使用keytool命令。如果它不起作用，您可能需要将cd指向它位于glassfish-install-dir/glassfish/domains/domain1/config目录中的路径并在该目录中运行该命令。

keytool -storepasswd -keystore /path/to/keystore
Enter keystore password:  changeit
New keystore password:  new-password
Re-enter new keystore password:  new-password

在成功导入证书并重新启动glassfish服务器之后，SSL使用已安装的Web应用程序，但遗憾的是我无法从浏览器登录glassfish管理控制台，尽管asadmin tool仍然有效。

solving unable to login to admin console after above changes

我们需要在我们的脚本中添加wget命令，以便从recent trusted ca revisions from mozilla下载每个出现日期的最新CA文件修订版本

将以下内容添加到命令yourname.sh上方的sudo service glassfish stop脚本中以解决问题。

wget https://curl.haxx.se/ca/cacert-2017-01-18.pem --no-check-certificate -O cacert.pem

PEM_FILE=cacert.pem
KEYSTORE=cacerts.jks

CERTS=$(grep 'END CERTIFICATE' $PEM_FILE| wc -l)

for N in $(seq 0 $(($CERTS -1))); do
    ALIAS="${PEM_FILE%.*}-$N"
    cat $PEM_FILE | awk "n==$N { print }; /END CERTIFICATE/ { n++ }" |
    keytool -noprompt -import -trustcacerts 
            -alias $ALIAS -keystore $KEYSTORE -storepass $KEYSTOREPW
done
sudo keytool -list -keystore keystore.jks -storepass $KEYSTOREPW
sudo keytool -list -keystore cacerts.jks -storepass $KEYSTOREPW

if [ ! -f $GFDOMAIN/config/keystore-orig.jks ]; then
echo "Backing up original files..."
sudo cp -f $GFDOMAIN/config/keystore.jks $GFDOMAIN/config/keystore-orig.jks
sudo cp -f $GFDOMAIN/config/cacerts.jks $GFDOMAIN/config/cacerts-orig.jks
fi
echo "Updating certificates..."
sudo cp -f keystore.jks $GFDOMAIN/config/keystore.jks
sudo cp -f cacerts.jks $GFDOMAIN/config/cacerts.jks

cd ..

echo stop and restart glassfish domain to complete

cd ..
sudo rm -rf etc

我希望这可以帮助所有人欢呼！