3

I have scanned SO and found there is no detailed instructions on how to install letsencrypt.org SSL certificate on glassfish and specifically in this tutorial I will be using glassfish 4.1.2 build 1. After a lot of trial and error, I was able to put together the following guide. So I hope that it is fine to ask and answer my own question.

In this tutorial I shall be using an Ubuntu 16.04 LTS Server with Shell access from my Ubuntu 16.04 LTS desktop.

qualebs
  • 1,291
  • 2
  • 17
  • 34

2 Answers2

4

visit certbot and follow the instructions below to setup your system

Install

On Ubuntu systems, the Certbot team maintains a PPA. Once you add it to your list of repositories all you'll need to do is apt-get the following packages.

$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot

Get Started

Since your server architecture doesn't yet support automatic installation you'll have to use the certonly command to obtain your certificate.

$ sudo certbot certonly

terminal will output

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

We select the 1st option key in 1 and press enter

terminal will output

Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel):yoursite.com www.yoursite.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for yoursite.com
http-01 challenge for www.yoursite.com

terminal will output

Select the webroot for yoursite.com:


1: Enter a new webroot
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
Input the webroot for yoursite.com: (Enter 'c' to cancel):/home/yourUsername/glassfish4/glassfish/domains/domain1/docroot

Select the webroot for www.yoursite.com:


1: Enter a new webroot
2: /home/yoursite/glassfish4/glassfish/domains/domain1/docroot


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

terminal will output

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/yoursite.com/fullchain.pem. Your cert will
   expire on 2017-08-21. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"

Automating renewal

The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:

certbot renew --dry-run

make the following script can automate importing certificate to glassfish

for further reading

https://community.letsencrypt.org/t/importing-letsencrypt-into-java-and-glassfish/9711

Now we import the certificates. Make the following script and save it as yourscriptname.sh to automate the process then run it with the command 

$ sh yourscriptname.sh

#!/bin/sh

DOMAIN=yoursite.com
#note that changeit is the default keystore password
KEYSTOREPW=changeit
GFDOMAIN=/home/yourUsername/glassfish4/glassfish/domains/domain1
LIVE=/etc/letsencrypt/live/$DOMAIN

mkdir etc
cd etc

sudo openssl pkcs12 -export -in $LIVE/cert.pem -inkey $LIVE/privkey.pem -out cert_and_key.p12 -name myalias -CAfile $LIVE/chain.pem -caname root -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -alias myalias -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo keytool -import -noprompt -trustcacerts -alias root -file $LIVE/chain.pem -keystore keystore.jks -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW

sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name glassfish-instance -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias glassfish-instance -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name s1as -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias s1as -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW

sudo keytool -list -keystore keystore.jks -storepass $KEYSTOREPW

sudo cp -f keystore.jks $GFDOMAIN/config/

sudo service glassfish stop
sudo service glassfish start

cd ..
sudo rm -rf etc

if you need to change the keystore password

Use keytool command. If it doesn't work you might have to cd to the path where it's located in your glassfish-install-dir/glassfish/domains/domain1/config directory and run the command in that directory.

keytool -storepasswd -keystore /path/to/keystore
Enter keystore password:  changeit
New keystore password:  new-password
Re-enter new keystore password:  new-password

After successfully importing the certs and restarting glassfish server, SSL worked with the installed web application but unfortunately I was not able to log into the glassfish admin console from the browser, though the asadmin tool still worked.

solving unable to login to admin console after above changes

We need to add wget command to our script to download the most Recent CA file revisions per date of apperance from recent trusted ca revisions from mozilla

Add the following to the the yourname.sh script just above the command sudo service glassfish stop to fix the problem.

wget https://curl.haxx.se/ca/cacert-2017-01-18.pem --no-check-certificate -O cacert.pem

PEM_FILE=cacert.pem
KEYSTORE=cacerts.jks

CERTS=$(grep 'END CERTIFICATE' $PEM_FILE| wc -l)

for N in $(seq 0 $(($CERTS -1))); do
    ALIAS="${PEM_FILE%.*}-$N"
    cat $PEM_FILE | awk "n==$N { print }; /END CERTIFICATE/ { n++ }" |
    keytool -noprompt -import -trustcacerts \
            -alias $ALIAS -keystore $KEYSTORE -storepass $KEYSTOREPW
done
sudo keytool -list -keystore keystore.jks -storepass $KEYSTOREPW
sudo keytool -list -keystore cacerts.jks -storepass $KEYSTOREPW

if [ ! -f $GFDOMAIN/config/keystore-orig.jks ]; then
echo "Backing up original files..."
sudo cp -f $GFDOMAIN/config/keystore.jks $GFDOMAIN/config/keystore-orig.jks
sudo cp -f $GFDOMAIN/config/cacerts.jks $GFDOMAIN/config/cacerts-orig.jks
fi
echo "Updating certificates..."
sudo cp -f keystore.jks $GFDOMAIN/config/keystore.jks
sudo cp -f cacerts.jks $GFDOMAIN/config/cacerts.jks

cd ..

echo stop and restart glassfish domain to complete

cd ..
sudo rm -rf etc

I hope this helps someone cheers all!

Lorenzo Marcon
  • 8,029
  • 5
  • 38
  • 63
qualebs
  • 1,291
  • 2
  • 17
  • 34
  • After doing this, I constantly get an authentication failed on the admin panel. I still am able to change the admin password using change-admin-password so I am sure that the values are correct, I get the authentication failed via both the localhost and external computers – Wietlol Sep 21 '17 at 12:20
  • I am deploying a local network system I developed (with sprind mvc and jsp running on glassfish 4.1) online so our satellite offices can use it too. I already deployed it thru our static ip with port forwarding. Meaning, I don't have any domain and don't have access to a shell only cmd. My Server is running in windows and glassfish alone. I want the outside access be safer. I have tried the provided https access but warning of unsecured line still appear. So, how can I do this or follow this on my set-up? I know it is possible, but I'm just dumbfounded. Please help me. – amrodelas Dec 28 '17 at 11:30
  • I followed this guide and my server broke for some unknown reason. I didn't do the last part for console. In order to roll back I removed keystore.jks in domain1/config but still cannot reach admin console. Any clue on how to totally go back to previously working state? – Hamed Mar 13 '18 at 07:02
  • @Hamed try and clear the server logs located in `glassfish-home/glassfish/domains/your-domain/logs` then try to access your admin console. Afterwards open the logs folder and give us relevant logs to see how we can help – qualebs Mar 15 '18 at 17:42
  • I deleted replaced keystore.jks in $GFDOMAIN/config/ with my backup file. my server was recovered. – Hamed Mar 17 '18 at 05:16
  • The solution that worked for me is described here: https://community.letsencrypt.org/t/importing-letsencrypt-into-java-and-glassfish/9711/18 – Hamed Mar 17 '18 at 05:17
  • Kindly note that two separate users have posted Answers on this post expressing the line `sudo rm -rf etc` was destructive to their system. Is there any way you could modify this post to use a different directory name than one that's also used as a standard directory? – Scratte Dec 23 '20 at 13:19
  • @Wietlol you disable and enable secure admin to using the command `asadmin diable-secure-admin` and `asadmin enable-secure-admin` restart the server after each command. you should be able to log in to the admin console – qualebs Dec 25 '20 at 20:47
  • @Scratte the users are deleting the `etc` folder at the root directory contrary to intended directory in my answer as you can see we create a directory `etc` in our home directory then `cd` into the newly created `etc` directory, afterwards we `cd..` out and delete it now that we are done using it. I never intended for them to delete the system wide configuration etc directory – qualebs Dec 25 '20 at 20:56
  • I understand that, but trust me when I say that there are two deleted Answers on this post that expresses regret having used your code. – Scratte Dec 25 '20 at 20:58
1

I have created a Perl script to assist in the installation of Let's Encrypt certificates in Glassfish and Payara. I have successfully used it to not only install a certificate for multiple domains in about five minutes, but to automatically renew - via a cron job - those certificates when they were about to expire.

What I've done is broken the process of obtaining a Let's Encrypt certificate into the following steps, not all of which will be necessary:

  1. Customize the script to the particular local installation 1a. List of domains for which a certificate is to be created 1b. Glassfish/Payara setup (where they're located in your filesystem) 1c. Password for Glassfish/Payara
  2. Change Glassfish/Payara to listen on ports 80 and 443
  3. Generate the Let's Encrypt certification keys
  4. Insure that the keystore password matches that of the server
  5. Create a keystore
  6. Import the created keystore into the Glassfish/Payara keystore
  7. Apply the new certificate to the https listener
  8. Update the domain SSL information
  9. Set (if necessary) the server admin password.
  10. Set up the https domain

Additionally, the script can be invoked periodically (typically via 'cron') to check to see if any domains need to be renewed and if so, renew them automatically.

See: https://github.com/hbrednek/letsencrypt_glassfish for the script.

hbrednek
  • 121
  • 1
  • 1
  • 6