Changeset 32350 for main/trunk

Timestamp:

2018-08-21T18:59:28+12:00 (6 years ago)

Author:

ak19

Message:

Some tidying up and using the recommended way to run ant exec tasks since we no longer need to echo values to the stdin of an exec task

File:

• main/trunk/greenstone3/build.xml (modified) (7 diffs)

main/trunk/greenstone3/build.xml

@@ -52 +52 @@
 
   -->
+  <property name="https.test.mode" value="false"/>
 
   <property name="os.linux" value="Linux"/> 
@@ -247 +248 @@
   </condition>
 
+  <condition property="https.testing" value="" else="--staging">
+    <isfalse property="https.test.mode"/>
+  </condition>
+
   <!-- now we've read in properties, apply defaults -->
   <property name="disable.collection.building" value="false"/>
@@ -1579 +1584 @@
 
   <!-- ============ Targets concerned with https certification ================ -->
+  <!-- Revoke the certificate and remove it, including folders.
+       See https://certbot.eff.org/docs/using.html#revoking-certificates
+       which also states "if a certificate is a test certificate obtained via the
+       ==staging or ==test-cert flag, that flag must be passed to the revoke subcommand."
+  -->
   <target name="remove-cert-https">
     <echo>
@@ -1584 +1594 @@
       Enter the sudo password if prompted.
     </echo>
-    <!-- sudo /path/to/GS3/bin/linux/certbot-auto revoke ==cert-path /etc/letsencrypt/live/DOMAIN/cert.pem -->
-    <!--  sudo echo &quot;Y\n&quot; | /path/to/GS3/bin/linux/certbot-auto revoke ==cert-path /etc/letsencrypt/live/DOMAIN/cert.pem 
-     See http://ant.1045680.n5.nabble.com/Running-lt-exec-gt-task-with-an-quot-interactive-quot-executable-td1349146.html
-     But shouldn't run certbot-auto by first sudoing. Run certbot-auto directly, it will ask to elevate to sudo permissions
+    <!--
+    It says at https://github.com/certbot/certbot/issues/1741
+    "you shouldn't run letsencrypt-auto [now called certbot-auto] as superuser,
+    because the program will invoke sudo when it needs to automatically."   
+    We need to send Y(es) as inputstring to confirm that the
+    /etc/letsencrypt/live/${tomcat.server} folder can be deleted
     -->
     <exec executable="./certbot-auto" dir="${basedir}/bin/${os.bin.dir}" failonerror="true" inputstring="Y">
-      <arg line="revoke --staging --cert-path /etc/letsencrypt/live/${tomcat.server}/cert.pem"/>
-    </exec>
-
-    <!--<exec executable="./certbot-auto" dir="${basedir}/bin/${os.bin.dir}" failonerror="true">
-      <arg line="delete ==cert-name ${tomcat.server}"/>
-    </exec>-->
-    <!-- and remove the https_cert folder -->
+     <arg value="revoke"/>
+     <arg value="${https.testing}"/>
+     <arg value="--cert-path"/><arg value="/etc/letsencrypt/live/${tomcat.server}/cert.pem"/>
+    </exec>
+    <!-- The above command already deletes the folder when Y(es) was passed in. Explicitly deleting:
+    <exec executable="./certbot-auto" dir="${basedir}/bin/${os.bin.dir}" failonerror="true">
+    <arg value="delete"/>
+    <arg value="==cert-name"/><arg value="${tomcat.server}"/>
+    </exec>
+    -->
+    <!-- And remove the https_cert folder -->
     <delete dir="${packages.home}/tomcat/conf/https_cert"/>
   </target>
@@ -1662 +1678 @@
     <else>
       <echo>Proceeding...</echo>
-      <echo>### Phase 1: generating the certificate</echo>
-      <!-- ./certbot-auto certonly ==standalone ==preferred-challenges http ==email EMAIL -d DOMAINS 
-      need to accept (A) ToS and say Yes (Y) to sharing email -->
+      <!-- Running as
+       ./certbot-auto certonly ==standalone ==preferred-challenges http ==email EMAIL -d DOMAINS 
+       expects input from stdin to accept (A) ToS and say Yes (Y) to sharing email.
+       We can run in non-interactive mode as the user has at this stage already agreed
+       to LetsEncrypt's Terms of Service and provided an email address.
+      -->
       <exec executable="/bin/bash" dir="${basedir}/bin/${os.bin.dir}" failonerror="true">
     <arg value="./certbot-auto"/>
     <arg value="certonly"/>
-    <arg value="--staging"/>
+    <arg value="${https.testing}"/>
     <arg value="--standalone"/>
     <arg value="--non-interactive"/>
@@ -1677 +1696 @@
       </exec>
 
-      <echo>### Phase 2: pem to pkcs12</echo>
-      <!--
-      <echo>
-    ********************
-    You will next be asked to enter the Export Password 3 times. Each time,
-    type the value of your keystore.pass exactly as it is in build.properties.
-    ********************
-      </echo>-->
-
       <!-- sudo openssl pkcs12 -export -out /tmp/DOMAIN_fullchain_and_key.p12 \
         -in /etc/letsencrypt/live/DOMAIN/fullchain.pem \
         -inkey /etc/letsencrypt/live/DOMAIN/privkey.pem \
         -name tomcat
+        Must run as sudo because only admin has access to the pem files that admin
+        generated in /etc/letsencrypt
         See https://computingforgeeks.com/tomcat-7-with-letsencrypt-ssl-certificate/
         but also https://community.letsencrypt.org/t/using-lets-encrypt-with-tomcat/41082
@@ -1697 +1709 @@
 
       <exec executable="sudo" dir="/tmp" failonerror="true">
-    <arg line="${basedir}/bin/${os.bin.dir}/openssl/bin/openssl pkcs12 -export -out /tmp/${tomcat.server}_fullchain_and_key.p12 -in /etc/letsencrypt/live/${tomcat.server}/fullchain.pem -inkey /etc/letsencrypt/live/${tomcat.server}/privkey.pem -name tomcat -password pass:${keystore.pass}" />
+    <arg value="${basedir}/bin/${os.bin.dir}/openssl/bin/openssl"/>
+    <arg value="pkcs12"/>
+    <arg value="-export"/>
+    <arg value="-out"/><arg value="/tmp/${tomcat.server}_fullchain_and_key.p12"/>
+    <arg value="-in"/><arg value="/etc/letsencrypt/live/${tomcat.server}/fullchain.pem"/>
+    <arg value="-inkey"/><arg value="/etc/letsencrypt/live/${tomcat.server}/privkey.pem"/>
+    <arg value="-name"/><arg value="tomcat"/>
+    <arg value="-password"/><arg value="pass:${keystore.pass}"/>
       </exec>