- Timestamp:
- 2018-08-21T18:30:43+12:00 (6 years ago)
- Location:
- main/trunk/greenstone3
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
main/trunk/greenstone3/build.xml
r32346 r32349 148 148 <!-- 149 149 Bail if https is enabled but the keystore password (keystore.pass property) is not set. 150 However, keystore.pass has no default value and is therefore not set as a rule. So don't bail when 'ant' is run for the first time to create buil .dprops from build.props.svn. But do bail if running ant.prepare and https enabled and password not set.150 However, keystore.pass has no default value and is therefore not set as a rule. So don't bail when 'ant' is run for the first time to create build.props from build.props.svn. But do bail if running ant.prepare and https enabled and password not set. 151 151 (Maybe put this entire section before the first target: so we only bail after all non-targets are executed so that any other first ever initialisation is completed?) 152 152 --> … … 1577 1577 <target name="update-web" depends="init,svnupdate-web,configure-web" 1578 1578 description="update only the web stuff (config files)"/> 1579 1580 <!-- ============ Targets concerned with https certification ================ --> 1581 <target name="remove-cert-https"> 1582 <echo> 1583 NOTE: You need to have sudo permissions to execute this target. 1584 Enter the sudo password if prompted. 1585 </echo> 1586 <!-- sudo /path/to/GS3/bin/linux/certbot-auto revoke ==cert-path /etc/letsencrypt/live/DOMAIN/cert.pem --> 1587 <!-- sudo echo "Y\n" | /path/to/GS3/bin/linux/certbot-auto revoke ==cert-path /etc/letsencrypt/live/DOMAIN/cert.pem 1588 See http://ant.1045680.n5.nabble.com/Running-lt-exec-gt-task-with-an-quot-interactive-quot-executable-td1349146.html 1589 But shouldn't run certbot-auto by first sudoing. Run certbot-auto directly, it will ask to elevate to sudo permissions 1590 --> 1591 <exec executable="./certbot-auto" dir="${basedir}/bin/${os.bin.dir}" failonerror="true" inputstring="Y"> 1592 <arg line="revoke --staging --cert-path /etc/letsencrypt/live/${tomcat.server}/cert.pem"/> 1593 </exec> 1594 1595 <!--<exec executable="./certbot-auto" dir="${basedir}/bin/${os.bin.dir}" failonerror="true"> 1596 <arg line="delete ==cert-name ${tomcat.server}"/> 1597 </exec>--> 1598 <!-- and remove the https_cert folder --> 1599 <delete dir="${packages.home}/tomcat/conf/https_cert"/> 1600 </target> 1601 1602 <target name="setup-cert-https-info"> 1603 <echo> 1604 ********************************************************************* 1605 NOTE TO OBTAINING A TLS (SSL) CERTIFICATE FOR HTTPS 1606 ********************************************************************* 1607 A certificate is needed for your GS server to serve pages over https. 1608 This target will attempt to obtain a certificate for you from the official and free Certificate Authority Let's Encrypt. 1609 However, a certificate can only be obtained if you have sudo permissions on this machine that you're installing Greenstone on. 1610 1611 Note that: 1612 * if you already have a certificate, then you probably don't want to be running this target but the 'ant renew-cert-https' target instead, to renew your existing certificate. 1613 * if you run this target when you already have a generated certificate, the existing certificate will remain unchanged and the script will terminate with a message alerting you to this fact. 1614 </echo> 1615 </target> 1616 1617 <target name="https-conditions-set"> 1618 <input addproperty="https.conditions.ok" validargs="y,n"> 1619 To run this target, ensure you have: 1620 * sudo permissions 1621 * nothing running on port 80 when you run this target 1622 * edited the build.properties file with 1623 - tomcat.server set to the/a domain name of your server 1624 - server.protocol set to "https" 1625 - tomcat.port.https set to a valid port number 1626 - keystore.pass set to a password for the certification process 1627 * read the Let's Encrypt Subscriber Agreement at https://letsencrypt.org/repository/ 1628 If any of the above is not possible, quit this target. Continue [y/n]? 1629 </input> 1630 1631 <condition property="quit.https.setup"> 1632 <equals arg1="n" arg2="${https.conditions.ok}"/> 1633 </condition> 1634 1635 <fail if="quit.https.setup">https certification step aborted by user. Please edit build.properties to set server.protocol=http and comment out tomcat.port.https.</fail> 1636 </target> 1637 1638 <target name="setup-cert-https" depends="setup-cert-https-info,https-conditions-set"> 1639 <input addproperty="https.cert.email">Enter an email that Let's Encrypt, the certification authority, can send any important notifications to</input> 1640 <input addproperty="https.other.domains">Besides tomcat.server=${tomcat.server}, you may enter a comma separated list of additional domains to support if any</input> 1641 <input addproperty="https.cert.agree" validargs="y,n">You've read the Let's Encrypt Subscriber Agreement at https://letsencrypt.org/repository/ and agree</input> 1642 <if> 1643 <bool><equals arg1="y" arg2="${https.cert.agree}"/></bool> 1644 1645 <condition property="https.cert.domains" value="${tomcat.server},${https.other.domains}" else="${tomcat.server}"> 1646 <and> 1647 <isset property="https.other.domains" /> 1648 <not><matches string="${https.other.domains}" pattern="^\s*$"/></not> 1649 </and> 1650 </condition> 1651 1652 <input addproperty="https.do.cert" validargs="y,n"> 1653 You've agreed to the Let's Encrypt TOS with 1654 - email: ${https.cert.email} 1655 - domains: ${https.cert.domains} 1656 Looks okay? [y/n] 1657 </input> 1658 </if> 1659 1660 <if><bool><equals arg1="n" arg2="${https.do.cert}"/></bool> 1661 <echo>Not proceeding with https certification for the Greenstone 3 web server</echo> 1662 <else> 1663 <echo>Proceeding...</echo> 1664 <echo>### Phase 1: generating the certificate</echo> 1665 <!-- ./certbot-auto certonly ==standalone ==preferred-challenges http ==email EMAIL -d DOMAINS 1666 need to accept (A) ToS and say Yes (Y) to sharing email --> 1667 <exec executable="/bin/bash" dir="${basedir}/bin/${os.bin.dir}" failonerror="true"> 1668 <arg value="./certbot-auto"/> 1669 <arg value="certonly"/> 1670 <arg value="--staging"/> 1671 <arg value="--standalone"/> 1672 <arg value="--non-interactive"/> 1673 <arg value="--agree-tos"/> 1674 <arg value="--preferred-challenges"/><arg value="http"/> 1675 <arg value="--email"/><arg value="${https.cert.email}"/> 1676 <arg value="--domains"/><arg value="${https.cert.domains}"/> 1677 </exec> 1678 1679 <echo>### Phase 2: pem to pkcs12</echo> 1680 <!-- 1681 <echo> 1682 ******************** 1683 You will next be asked to enter the Export Password 3 times. Each time, 1684 type the value of your keystore.pass exactly as it is in build.properties. 1685 ******************** 1686 </echo>--> 1687 1688 <!-- sudo openssl pkcs12 -export -out /tmp/DOMAIN_fullchain_and_key.p12 \ 1689 -in /etc/letsencrypt/live/DOMAIN/fullchain.pem \ 1690 -inkey /etc/letsencrypt/live/DOMAIN/privkey.pem \ 1691 -name tomcat 1692 See https://computingforgeeks.com/tomcat-7-with-letsencrypt-ssl-certificate/ 1693 but also https://community.letsencrypt.org/t/using-lets-encrypt-with-tomcat/41082 1694 which bypasses the step to generate the java keystore jks file 1695 and uses openssl to generate a pfx file instead of a p12 file 1696 --> 1697 1698 <exec executable="sudo" dir="/tmp" failonerror="true"> 1699 <arg line="${basedir}/bin/${os.bin.dir}/openssl/bin/openssl pkcs12 -export -out /tmp/${tomcat.server}_fullchain_and_key.p12 -in /etc/letsencrypt/live/${tomcat.server}/fullchain.pem -inkey /etc/letsencrypt/live/${tomcat.server}/privkey.pem -name tomcat -password pass:${keystore.pass}" /> 1700 </exec> 1701 1702 <!-- Finally, mkdir ${packages.home}/tomcat/conf/https_cert 1703 and copy the file /tmp/${tomcat.server}_fullchain_and_key.p12 into it 1704 and rename to a slightly shorter and simpler name. 1705 The file in tmp has root permissions. But copying it from tmp into 1706 the local account will give the copy local account permissions. 1707 Then sudo to remove the original copy in /tmp 1708 --> 1709 <mkdir dir="${packages.home}/tomcat/conf/https_cert"/> 1710 <!--<copy file="/tmp/${tomcat.server}_fullchain_and_key.p12" todir="${packages.home}/tomcat/conf/https_cert"/>--> 1711 <copy todir="${packages.home}/tomcat/conf/https_cert"> 1712 <fileset file="/tmp/${tomcat.server}_fullchain_and_key.p12"/> 1713 <globmapper from="${tomcat.server}_fullchain_and_key.p12" to="fullchain_and_prvtkey.p12"/> 1714 </copy> 1715 1716 <exec executable="sudo" dir="/tmp" failonerror="true"> 1717 <arg line="rm -f /tmp/${tomcat.server}_fullchain_and_key.p12" /> 1718 </exec> 1719 1720 </else> 1721 </if> 1722 1723 </target> 1579 1724 1580 1725 <!-- ======================= Tomcat Targets ========================== --> … … 1664 1809 <filter token="tomcat.port.http" value="${tomcat.port.http}"/> 1665 1810 <filter token="tomcat.port.https" value="${tomcat.port.https}"/> 1666 <filter token="keystore.file" value="${web.writablehome}/https_cert/${tomcat.server}.jks" /> 1811 <!--<filter token="keystore.file" value="${packages.home}/tomcat/conf/https_cert/${tomcat.server}.jks" />--> 1812 <filter token="keystore.file" value="${packages.home}/tomcat/conf/https_cert/fullchain_and_prvtkey.p12" /> 1813 <!-- tomcat Connector's keystoreType param defaults to JKS (Java keystore), see https://tomcat.apache.org/tomcat-7.0-doc/config/http.html 1814 We'll follow the instructions at https://community.letsencrypt.org/t/using-lets-encrypt-with-tomcat/41082, 1815 https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/ 1816 and https://computingforgeeks.com/tomcat-7-with-letsencrypt-ssl-certificate/ 1817 (minus the keytool step) and use the PKCS12 file generated by openssl directly, 1818 instead of an additional step to generate the java keystore file from that --> 1819 <filter token="keystore.type" value="PKCS12"/> 1667 1820 <filter token="keystore.pass" value="${keystore.pass}"/> 1668 1821 <filter token="http.comment.out.start" value="${http.comment.out.start}"/> -
main/trunk/greenstone3/resources/tomcat/server_tomcat7.xml.svn
r32346 r32349 101 101 keystoreFile="@keystore.file@" 102 102 keystorePass="@keystore.pass@" 103 clientAuth="false" sslProtocol="TLS" /> 103 clientAuth="false" sslProtocol="TLS" 104 keystoreType="@keystore.type@" /> 104 105 @https.comment.out.end@ 105 106
Note:
See TracChangeset
for help on using the changeset viewer.