Changeset 32349

Show
Ignore:
Timestamp:
21.08.2018 18:30:43 (11 months ago)
Author:
ak19
Message:

Rough draft of working ant targets that automate obtaining (and revoking) a certificate from LetsEncrypt? for https. The targets are still messy, but work. I will recommit tidier versions hereafter

Location:
main/trunk/greenstone3
Files:
2 modified

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone3/build.xml

    r32346 r32349  
    148148    <!--  
    149149     Bail if https is enabled but the keystore password (keystore.pass property) is not set. 
    150      However, keystore.pass has no default value and is therefore not set as a rule. So don't bail when 'ant' is run for the first time to create buil.dprops from build.props.svn. But do bail if running ant.prepare and https enabled and password not set. 
     150     However, keystore.pass has no default value and is therefore not set as a rule. So don't bail when 'ant' is run for the first time to create build.props from build.props.svn. But do bail if running ant.prepare and https enabled and password not set. 
    151151     (Maybe put this entire section before the first target: so we only bail after all non-targets are executed so that any other first ever initialisation is completed?) 
    152152    --> 
     
    15771577  <target name="update-web" depends="init,svnupdate-web,configure-web" 
    15781578    description="update only the web stuff (config files)"/> 
     1579 
     1580  <!-- ============ Targets concerned with https certification ================ --> 
     1581  <target name="remove-cert-https"> 
     1582    <echo> 
     1583      NOTE: You need to have sudo permissions to execute this target. 
     1584      Enter the sudo password if prompted. 
     1585    </echo> 
     1586    <!-- sudo /path/to/GS3/bin/linux/certbot-auto revoke ==cert-path /etc/letsencrypt/live/DOMAIN/cert.pem --> 
     1587    <!--  sudo echo &quot;Y\n&quot; | /path/to/GS3/bin/linux/certbot-auto revoke ==cert-path /etc/letsencrypt/live/DOMAIN/cert.pem  
     1588     See http://ant.1045680.n5.nabble.com/Running-lt-exec-gt-task-with-an-quot-interactive-quot-executable-td1349146.html 
     1589     But shouldn't run certbot-auto by first sudoing. Run certbot-auto directly, it will ask to elevate to sudo permissions 
     1590    --> 
     1591    <exec executable="./certbot-auto" dir="${basedir}/bin/${os.bin.dir}" failonerror="true" inputstring="Y"> 
     1592      <arg line="revoke --staging --cert-path /etc/letsencrypt/live/${tomcat.server}/cert.pem"/> 
     1593    </exec> 
     1594 
     1595    <!--<exec executable="./certbot-auto" dir="${basedir}/bin/${os.bin.dir}" failonerror="true"> 
     1596      <arg line="delete ==cert-name ${tomcat.server}"/> 
     1597    </exec>--> 
     1598    <!-- and remove the https_cert folder --> 
     1599    <delete dir="${packages.home}/tomcat/conf/https_cert"/> 
     1600  </target> 
     1601 
     1602  <target name="setup-cert-https-info"> 
     1603    <echo> 
     1604      ********************************************************************* 
     1605               NOTE TO OBTAINING A TLS (SSL) CERTIFICATE FOR HTTPS 
     1606      ********************************************************************* 
     1607      A certificate is needed for your GS server to serve pages over https. 
     1608      This target will attempt to obtain a certificate for you from the official and free Certificate Authority Let's Encrypt. 
     1609      However, a certificate can only be obtained if you have sudo permissions on this machine that you're installing Greenstone on. 
     1610 
     1611      Note that: 
     1612      * if you already have a certificate, then you probably don't want to be running this target but the 'ant renew-cert-https' target instead, to renew your existing certificate. 
     1613      * if you run this target when you already have a generated certificate, the existing certificate will remain unchanged and the script will terminate with a message alerting you to this fact. 
     1614    </echo> 
     1615  </target> 
     1616 
     1617  <target name="https-conditions-set"> 
     1618    <input addproperty="https.conditions.ok" validargs="y,n">      
     1619      To run this target, ensure you have: 
     1620      * sudo permissions 
     1621      * nothing running on port 80 when you run this target 
     1622      * edited the build.properties file with 
     1623        - tomcat.server set to the/a domain name of your server 
     1624        - server.protocol set to "https" 
     1625        - tomcat.port.https set to a valid port number 
     1626        - keystore.pass set to a password for the certification process 
     1627    * read the Let's Encrypt Subscriber Agreement at https://letsencrypt.org/repository/ 
     1628      If any of the above is not possible, quit this target. Continue [y/n]? 
     1629    </input> 
     1630 
     1631    <condition property="quit.https.setup">  
     1632      <equals arg1="n" arg2="${https.conditions.ok}"/> 
     1633    </condition> 
     1634 
     1635    <fail if="quit.https.setup">https certification step aborted by user. Please edit build.properties to set server.protocol=http and comment out tomcat.port.https.</fail> 
     1636  </target> 
     1637 
     1638  <target name="setup-cert-https" depends="setup-cert-https-info,https-conditions-set"> 
     1639    <input addproperty="https.cert.email">Enter an email that Let's Encrypt, the certification authority, can send any important notifications to</input> 
     1640    <input addproperty="https.other.domains">Besides tomcat.server=${tomcat.server}, you may enter a comma separated list of additional domains to support if any</input> 
     1641    <input addproperty="https.cert.agree" validargs="y,n">You've read the Let's Encrypt Subscriber Agreement at https://letsencrypt.org/repository/ and agree</input> 
     1642    <if> 
     1643      <bool><equals arg1="y" arg2="${https.cert.agree}"/></bool> 
     1644 
     1645      <condition property="https.cert.domains" value="${tomcat.server},${https.other.domains}" else="${tomcat.server}"> 
     1646    <and> 
     1647      <isset property="https.other.domains" /> 
     1648      <not><matches string="${https.other.domains}" pattern="^\s*$"/></not> 
     1649    </and> 
     1650      </condition>       
     1651 
     1652      <input addproperty="https.do.cert" validargs="y,n"> 
     1653    You've agreed to the Let's Encrypt TOS with 
     1654    - email: ${https.cert.email} 
     1655    - domains: ${https.cert.domains} 
     1656    Looks okay? [y/n] 
     1657      </input> 
     1658    </if> 
     1659 
     1660    <if><bool><equals arg1="n" arg2="${https.do.cert}"/></bool> 
     1661      <echo>Not proceeding with https certification for the Greenstone 3 web server</echo> 
     1662    <else> 
     1663      <echo>Proceeding...</echo> 
     1664      <echo>### Phase 1: generating the certificate</echo> 
     1665      <!-- ./certbot-auto certonly ==standalone ==preferred-challenges http ==email EMAIL -d DOMAINS  
     1666      need to accept (A) ToS and say Yes (Y) to sharing email --> 
     1667      <exec executable="/bin/bash" dir="${basedir}/bin/${os.bin.dir}" failonerror="true"> 
     1668    <arg value="./certbot-auto"/> 
     1669    <arg value="certonly"/> 
     1670    <arg value="--staging"/> 
     1671    <arg value="--standalone"/> 
     1672    <arg value="--non-interactive"/> 
     1673    <arg value="--agree-tos"/> 
     1674    <arg value="--preferred-challenges"/><arg value="http"/> 
     1675    <arg value="--email"/><arg value="${https.cert.email}"/> 
     1676    <arg value="--domains"/><arg value="${https.cert.domains}"/> 
     1677      </exec> 
     1678 
     1679      <echo>### Phase 2: pem to pkcs12</echo> 
     1680      <!-- 
     1681      <echo> 
     1682    ******************** 
     1683    You will next be asked to enter the Export Password 3 times. Each time, 
     1684    type the value of your keystore.pass exactly as it is in build.properties. 
     1685    ******************** 
     1686      </echo>--> 
     1687 
     1688      <!-- sudo openssl pkcs12 -export -out /tmp/DOMAIN_fullchain_and_key.p12 \ 
     1689        -in /etc/letsencrypt/live/DOMAIN/fullchain.pem \ 
     1690        -inkey /etc/letsencrypt/live/DOMAIN/privkey.pem \ 
     1691        -name tomcat 
     1692        See https://computingforgeeks.com/tomcat-7-with-letsencrypt-ssl-certificate/ 
     1693        but also https://community.letsencrypt.org/t/using-lets-encrypt-with-tomcat/41082 
     1694        which bypasses the step to generate the java keystore jks file 
     1695        and uses openssl to generate a pfx file instead of a p12 file 
     1696      --> 
     1697 
     1698      <exec executable="sudo" dir="/tmp" failonerror="true"> 
     1699    <arg line="${basedir}/bin/${os.bin.dir}/openssl/bin/openssl pkcs12 -export -out /tmp/${tomcat.server}_fullchain_and_key.p12 -in /etc/letsencrypt/live/${tomcat.server}/fullchain.pem -inkey /etc/letsencrypt/live/${tomcat.server}/privkey.pem -name tomcat -password pass:${keystore.pass}" /> 
     1700      </exec> 
     1701 
     1702      <!-- Finally, mkdir ${packages.home}/tomcat/conf/https_cert 
     1703       and copy the file /tmp/${tomcat.server}_fullchain_and_key.p12 into it 
     1704       and rename to a slightly shorter and simpler name.  
     1705       The file in tmp has root permissions. But copying it from tmp into 
     1706       the local account will give the copy local account permissions. 
     1707       Then sudo to remove the original copy in /tmp 
     1708      --> 
     1709      <mkdir dir="${packages.home}/tomcat/conf/https_cert"/> 
     1710      <!--<copy file="/tmp/${tomcat.server}_fullchain_and_key.p12" todir="${packages.home}/tomcat/conf/https_cert"/>--> 
     1711      <copy todir="${packages.home}/tomcat/conf/https_cert"> 
     1712    <fileset file="/tmp/${tomcat.server}_fullchain_and_key.p12"/> 
     1713    <globmapper from="${tomcat.server}_fullchain_and_key.p12" to="fullchain_and_prvtkey.p12"/> 
     1714      </copy> 
     1715 
     1716      <exec executable="sudo" dir="/tmp" failonerror="true"> 
     1717    <arg line="rm -f /tmp/${tomcat.server}_fullchain_and_key.p12" /> 
     1718      </exec>       
     1719       
     1720    </else> 
     1721  </if> 
     1722 
     1723  </target> 
    15791724 
    15801725  <!-- ======================= Tomcat Targets ========================== --> 
     
    16641809    <filter token="tomcat.port.http" value="${tomcat.port.http}"/> 
    16651810    <filter token="tomcat.port.https" value="${tomcat.port.https}"/> 
    1666     <filter token="keystore.file" value="${web.writablehome}/https_cert/${tomcat.server}.jks" /> 
     1811    <!--<filter token="keystore.file" value="${packages.home}/tomcat/conf/https_cert/${tomcat.server}.jks" />--> 
     1812    <filter token="keystore.file" value="${packages.home}/tomcat/conf/https_cert/fullchain_and_prvtkey.p12" /> 
     1813    <!-- tomcat Connector's keystoreType param defaults to JKS (Java keystore), see https://tomcat.apache.org/tomcat-7.0-doc/config/http.html 
     1814    We'll follow the instructions at https://community.letsencrypt.org/t/using-lets-encrypt-with-tomcat/41082, 
     1815    https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/ 
     1816    and https://computingforgeeks.com/tomcat-7-with-letsencrypt-ssl-certificate/  
     1817    (minus the keytool step) and use the PKCS12 file generated by openssl directly, 
     1818    instead of an additional step to generate the java keystore file from that --> 
     1819    <filter token="keystore.type" value="PKCS12"/> 
    16671820    <filter token="keystore.pass" value="${keystore.pass}"/> 
    16681821    <filter token="http.comment.out.start" value="${http.comment.out.start}"/> 
  • main/trunk/greenstone3/resources/tomcat/server_tomcat7.xml.svn

    r32346 r32349  
    101101            keystoreFile="@keystore.file@" 
    102102            keystorePass="@keystore.pass@" 
    103             clientAuth="false" sslProtocol="TLS" /> 
     103            clientAuth="false" sslProtocol="TLS" 
     104        keystoreType="@keystore.type@" /> 
    104105    @https.comment.out.end@ 
    105106