Changeset 32412

Show
Ignore:
Timestamp:
31.08.2018 19:26:21 (11 months ago)
Author:
ak19
Message:

HTTPS certification automation for Windows using ZeroSSL. 1. Comitting ZeroSSL win32 and win64 binaries with their PerlFoundation?'s Artistic License 2.0 licence. 2. build.xml has a windows target to automate the process and now branches to the right target depending on OS. No support yet for Mac will investigate whether there are other ACME clients like certbot for Mac in future. 3. When testing the final change (keystore.file name varies depending on OS), I unfortunately had used up the rate limits for this week's certification. Otherwise I had tested the target obtaining the https certificate on Windows several times. 4. Still need to add in optional test certification (the min-min-live parameter when dropped makes it obtain a test certificate.)

Location:
main/trunk/greenstone3
Files:
3 added
1 modified

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone3/build.xml

    r32384 r32412  
    194194    </if> 
    195195 
     196    <!-- Set the keystore file name for linux versus windows. Ultimately unused/inactive if HTTPS is not enabled and no certificate obtained. We don't have https certification on mac --> 
     197    <condition property="keystore.file" value="fullchain_and_prvtkey.pfx" else="fullchain_and_prvtkey.p12"> 
     198        <istrue value="${current.os.iswindows}"/> 
     199    </condition>     
     200     
    196201    <!--  
    197202     1. Using the macrodef task from ant 1.6+ (https://ant.apache.org/manual/Tasks/macrodef.html) 
     
    11131118    description="Startup the Tomcat server." > 
    11141119    <echo>${app.name} (${app.version}) server running using Apache Tomcat and Java</echo>  
    1115     <echo>Tomcat: ${catalina.home}</echo>  
     1120    <echo>Tomcat: ${catalina.home}</echo> 
    11161121    <echo>Java  : ${java.home}</echo> 
    11171122    <if><bool><available file="${build.src.home}"/></bool> 
     
    16811686    <input addproperty="https.conditions.ok" validargs="y,n">      
    16821687      To run this target, ensure you have: 
    1683       * sudo permissions 
     1688      * On Linux: sudo permissions 
     1689      * On Windows: sufficient privileges to run the included tomcat on port 80 
    16841690      * nothing running on port 80 when you run this target 
    16851691      * edited the build.properties file with 
     
    17251731    <else> 
    17261732      <echo>Proceeding...</echo> 
     1733     </else> 
     1734  </if> 
     1735   
     1736    <if><bool><istrue value="${current.os.iswindows}"/></bool> 
     1737        <antcall target="setup-https-cert-windows"/> 
     1738    </if> 
     1739    <if><bool><istrue value="${current.os.isunixnotmac}"/></bool> 
     1740        <antcall target="setup-https-cert-linux"/> 
     1741    </if> 
     1742  </target> 
     1743   
     1744  <target name="setup-https-cert-windows"> 
     1745    <echo>********** The included tomcat will be stopped, then restarted on port 80 and stopped again</echo> 
     1746     
     1747    <!-- create folder packages\tomcat\webapps\ROOT\.well-known\acme-challenge --> 
     1748    <mkdir dir="${packages.home}/tomcat/webapps/ROOT/.well-known/acme-challenge"/> 
     1749    <mkdir dir="${packages.home}/tomcat/conf/https_cert"/> 
     1750   
     1751    <!-- stop the included tomcat (also stopping derby and solr) --> 
     1752    <antcall target="stop" /> 
     1753     
     1754    <!-- rerun tomcat on port 80 
     1755        See https://ant.apache.org/manual/Tasks/antcall.html --> 
     1756    <antcall target="start"> 
     1757        <param name="tomcat.port.http" value="80"/> 
     1758        <param name="internal.tomcat.port" value="80"/> 
     1759        <param name="http.comment.out.start" value=""/> 
     1760        <param name="http.comment.out.end" value=""/> 
     1761        <param name="https.comment.out.start" value="${comment.start}"/> 
     1762        <param name="https.comment.out.end" value="${comment.end}"/> 
     1763    </antcall> 
     1764  
     1765    <!-- get the certificate: use zerossl for windows 
     1766        Download from https://github.com/do-know/Crypt-LE/releases, 
     1767        For licence see https://github.com/do-know/Crypt-LE/ 
     1768        Usage instructions at https://zerossl.com/usage.html         
     1769         
     1770        le64 ==key "${packages.home}\tomcat\conf\https_cert\privkey.key" ==csr "${packages.home}\tomcat\conf\https_cert\${tomcat.server}.csr" ==csr-key "${packages.home}s\tomcat\conf\https_cert\${tomcat.server}.key" ==crt "${packages.home}\tomcat\conf\https_cert\${tomcat.server}.crt" ==domains "${https.cert.domains}" ==path "${packages.home}\tomcat\webapps\ROOT\.well-known\acme-challenge" ==generate-missing ==unlink ==live -export-pfx "${keystore.pass}" 
     1771         
     1772        which generates a .pfx file with the same name as the PEM certificate (.crt) 
     1773        .pfx vs .p12: https://stackoverflow.com/questions/6819079/convert-pfx-format-to-p12 
     1774         
     1775        In this case "fullchain_and_prvtkey.pfx" is generated, which is the windows value of ${keystore.file} property 
     1776        --> 
     1777    <exec executable="cmd" osfamily="windows" dir="${basedir}/bin/${os.bin.dir}" spawn="false"> 
     1778      <arg value="/c" /> 
     1779      <arg value="le64" /> 
     1780      <arg value="--key" /><arg value="${packages.home}\tomcat\conf\https_cert\privkey.key" /> 
     1781      <arg value="--csr" /><arg value="${packages.home}\tomcat\conf\https_cert\${tomcat.server}.csr" /> 
     1782      <arg value="--csr-key" /><arg value="${packages.home}\tomcat\conf\https_cert\${tomcat.server}.key" /> 
     1783      <!--<arg value="==crt" /><arg value="${packages.home}\tomcat\conf\https_cert\${tomcat.server}.crt" />-->     
     1784      <arg value="--crt" /><arg value="${packages.home}\tomcat\conf\https_cert\fullchain_and_prvtkey.crt" /> 
     1785      <arg value="--domains" /><arg value="${https.cert.domains}" /> 
     1786      <arg value="--path" /><arg value="${packages.home}\tomcat\webapps\ROOT\.well-known\acme-challenge" /> 
     1787      <arg value="--generate-missing" /> 
     1788      <arg value="--unlink" /> 
     1789      <arg line="--live" /><!-- https://stackoverflow.com/questions/11840284/pass-arguments-to-apache-ant-exec-task-based-on-the-variables-value --> 
     1790      <arg value="--export-pfx" /><arg value="${keystore.pass}" /> 
     1791    </exec>   
     1792 
     1793    <echo>KEYSTORE FILE: ${keystore.file}</echo> 
     1794     
     1795    <!-- stop the tomcat running on port 80 --> 
     1796    <antcall target="stop"> 
     1797        <param name="tomcat.port.http" value="80"/> 
     1798        <param name="internal.tomcat.port" value="80"/> 
     1799        <param name="http.comment.out.start" value=""/> 
     1800        <param name="http.comment.out.end" value=""/> 
     1801        <param name="https.comment.out.start" value="${comment.start}"/> 
     1802        <param name="https.comment.out.end" value="${comment.end}"/> 
     1803    </antcall> 
     1804     
     1805     
     1806  </target> 
     1807   
     1808  <target name="setup-https-cert-linux"> 
    17271809      <!-- Running as 
    17281810       ./certbot-auto certonly ==standalone ==preferred-challenges http ==email EMAIL -d DOMAINS  
     
    17771859      <copy todir="${packages.home}/tomcat/conf/https_cert"> 
    17781860    <fileset file="/tmp/${tomcat.server}_fullchain_and_key.p12"/> 
    1779     <globmapper from="${tomcat.server}_fullchain_and_key.p12" to="fullchain_and_prvtkey.p12"/> 
     1861    <globmapper from="${tomcat.server}_fullchain_and_key.p12" to="${keystore.file}"/> 
    17801862      </copy> 
    17811863 
    17821864      <exec executable="sudo" dir="/tmp" failonerror="true"> 
    1783     <arg line="rm -f /tmp/${tomcat.server}_fullchain_and_key.p12" /> 
    1784       </exec>       
     1865        <arg line="rm -f /tmp/${tomcat.server}_fullchain_and_key.p12" /> 
     1866      </exec> 
    17851867       
    1786     </else> 
    1787   </if> 
    1788  
    17891868  </target> 
    17901869 
     
    18761955    <filter token="tomcat.port.https" value="${tomcat.port.https}"/> 
    18771956    <!--<filter token="keystore.file" value="${packages.home}/tomcat/conf/https_cert/${tomcat.server}.jks" />--> 
    1878     <filter token="keystore.file" value="${packages.home}/tomcat/conf/https_cert/fullchain_and_prvtkey.p12" /> 
     1957    <!--ON UNIX: <filter token="keystore.file" value="${packages.home}/tomcat/conf/https_cert/fullchain_and_prvtkey.p12" />--> 
     1958    <!--ON WINDOWS: <filter token="keystore.file" value="conf/https_cert/fullchain_and_prvtkey.pfx" />--> 
     1959    <filter token="keystore.file" value="conf/https_cert/${keystore.file}" /> 
    18791960    <!-- tomcat Connector's keystoreType param defaults to JKS (Java keystore), see https://tomcat.apache.org/tomcat-7.0-doc/config/http.html 
    18801961    We'll follow the instructions at https://community.letsencrypt.org/t/using-lets-encrypt-with-tomcat/41082,