Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
458 views
in Technique[技术] by (71.8m points)

ssl - Using Let's encrypt with Apache and Apache Tomcat

On same machine is running Apache on port 80 and Tomcat on port 8080.
Apache include html;css;js; files and make calls to tomcat services.
Basically exampledomain.com calls exampledomain.com:8080 to receive data.
Now i upgraded the protocol from http to https using Let's Encrypt certbot to generate the certificate, this certificate will be updated every 3 months by certbot. Apache is running fine on port 443 but Tomcat still use port 8080, i can use same certificate to run tomcat on port 8443 but.. for doing this the certificate needs to be converted to Java Keystore.

My question is, if i will convert the certificate it will expire after 3 month and i need to convert the new generated certificate by certbot to Java Keystore again ?

question from:https://stackoverflow.com/questions/65902583/using-lets-encrypt-with-apache-and-apache-tomcat

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Yes, you have to convert the certificate every time it expires.

Tomcat accept .jks and .pfx certificates and you can make it easy to autoconvert everytime certbot generates new certificate by writing a script and make it run with certbot renewal-hooks.

Script:

#!/bin/bash
# Adjust these variables as necessary

# Where you want to final PKCS12 file to be stored.
CERT_PATH="/opt/app/certificate.pfx"

# Password to encrypt the PKCS12 file.
CERT_PW="ShoobyDooby"

# Path to LE files, RENEWED_LINEAGE provided by CertBot
PRIV_KEY_PEM="$RENEWED_LINEAGE/privkey.pem"
CERT_PEM="$RENEWED_LINEAGE/cert.pem"
CHAIN_PEM="$RENEWED_LINEAGE/chain.pem"

# If there's already a .pfx file, back it up
if [[ -f "$CERT_PATH" ]]; then
    now=`date +%Y-%m-%d-%T`
    mv $CERT_PATH $CERT_PATH.bak.$now
fi

# Le Conversion
openssl pkcs12 -export -out $CERT_PATH -inkey $PRIV_KEY_PEM -in $CERT_PEM -certfile $CHAIN_PEM -password pass:$CERT_PW

Place this script in /etc/letsencrypt/renewal-hooks/deploy/auto_pfx.sh
Don't forget to chmod! If the script isn't executable, it's ignored.

Automatic PKCS12 Conversion for Let's Encrypt Certificates


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...