Changeset 32412 for main/trunk/greenstone3

Timestamp:

2018-08-31T19:26:21+12:00 (6 years ago)

Author:

ak19

Message:

HTTPS certification automation for Windows using ZeroSSL. 1. Comitting ZeroSSL win32 and win64 binaries with their PerlFoundation's Artistic License 2.0 licence. 2. build.xml has a windows target to automate the process and now branches to the right target depending on OS. No support yet for Mac will investigate whether there are other ACME clients like certbot for Mac in future. 3. When testing the final change (keystore.file name varies depending on OS), I unfortunately had used up the rate limits for this week's certification. Otherwise I had tested the target obtaining the https certificate on Windows several times. 4. Still need to add in optional test certification (the min-min-live parameter when dropped makes it obtain a test certificate.)

Location:

main/trunk/greenstone3

Files:

• bin/windows/le32.exe (added)
• bin/windows/le64.exe (added)
• bin/windows/zeroSSL_CryptLE_LICENSE.txt (added)
• build.xml (modified) (6 diffs)

main/trunk/greenstone3/build.xml

@@ -194 +194 @@
     </if>
 
+    <!-- Set the keystore file name for linux versus windows. Ultimately unused/inactive if HTTPS is not enabled and no certificate obtained. We don't have https certification on mac -->
+    <condition property="keystore.file" value="fullchain_and_prvtkey.pfx" else="fullchain_and_prvtkey.p12">
+        <istrue value="${current.os.iswindows}"/>
+    </condition>    
+    
     <!-- 
      1. Using the macrodef task from ant 1.6+ (https://ant.apache.org/manual/Tasks/macrodef.html)
@@ -1113 +1118 @@
     description="Startup the Tomcat server." >
     <echo>${app.name} (${app.version}) server running using Apache Tomcat and Java</echo> 
-    <echo>Tomcat: ${catalina.home}</echo> 
+    <echo>Tomcat: ${catalina.home}</echo>
     <echo>Java  : ${java.home}</echo>
     <if><bool><available file="${build.src.home}"/></bool>
@@ -1681 +1686 @@
     <input addproperty="https.conditions.ok" validargs="y,n">     
       To run this target, ensure you have:
-      * sudo permissions
+      * On Linux: sudo permissions
+      * On Windows: sufficient privileges to run the included tomcat on port 80
       * nothing running on port 80 when you run this target
       * edited the build.properties file with
@@ -1725 +1731 @@
     <else>
       <echo>Proceeding...</echo>
+     </else>
+  </if>
+  
+    <if><bool><istrue value="${current.os.iswindows}"/></bool>
+        <antcall target="setup-https-cert-windows"/>
+    </if>
+    <if><bool><istrue value="${current.os.isunixnotmac}"/></bool>
+        <antcall target="setup-https-cert-linux"/>
+    </if>
+  </target>
+  
+  <target name="setup-https-cert-windows">
+    <echo>********** The included tomcat will be stopped, then restarted on port 80 and stopped again</echo>
+    
+    <!-- create folder packages\tomcat\webapps\ROOT\.well-known\acme-challenge -->
+    <mkdir dir="${packages.home}/tomcat/webapps/ROOT/.well-known/acme-challenge"/>
+    <mkdir dir="${packages.home}/tomcat/conf/https_cert"/>
+  
+    <!-- stop the included tomcat (also stopping derby and solr) -->
+    <antcall target="stop" />
+    
+    <!-- rerun tomcat on port 80
+        See https://ant.apache.org/manual/Tasks/antcall.html -->
+    <antcall target="start">
+        <param name="tomcat.port.http" value="80"/>
+        <param name="internal.tomcat.port" value="80"/>
+        <param name="http.comment.out.start" value=""/>
+        <param name="http.comment.out.end" value=""/>
+        <param name="https.comment.out.start" value="${comment.start}"/>
+        <param name="https.comment.out.end" value="${comment.end}"/>
+    </antcall>
+ 
+    <!-- get the certificate: use zerossl for windows
+        Download from https://github.com/do-know/Crypt-LE/releases,
+        For licence see https://github.com/do-know/Crypt-LE/
+        Usage instructions at https://zerossl.com/usage.html        
+        
+        le64 ==key "${packages.home}\tomcat\conf\https_cert\privkey.key" ==csr "${packages.home}\tomcat\conf\https_cert\${tomcat.server}.csr" ==csr-key "${packages.home}s\tomcat\conf\https_cert\${tomcat.server}.key" ==crt "${packages.home}\tomcat\conf\https_cert\${tomcat.server}.crt" ==domains "${https.cert.domains}" ==path "${packages.home}\tomcat\webapps\ROOT\.well-known\acme-challenge" ==generate-missing ==unlink ==live -export-pfx "${keystore.pass}"
+        
+        which generates a .pfx file with the same name as the PEM certificate (.crt)
+        .pfx vs .p12: https://stackoverflow.com/questions/6819079/convert-pfx-format-to-p12
+        
+        In this case "fullchain_and_prvtkey.pfx" is generated, which is the windows value of ${keystore.file} property
+        -->
+    <exec executable="cmd" osfamily="windows" dir="${basedir}/bin/${os.bin.dir}" spawn="false">
+      <arg value="/c" />
+      <arg value="le64" />
+      <arg value="--key" /><arg value="${packages.home}\tomcat\conf\https_cert\privkey.key" />
+      <arg value="--csr" /><arg value="${packages.home}\tomcat\conf\https_cert\${tomcat.server}.csr" />
+      <arg value="--csr-key" /><arg value="${packages.home}\tomcat\conf\https_cert\${tomcat.server}.key" />
+      <!--<arg value="==crt" /><arg value="${packages.home}\tomcat\conf\https_cert\${tomcat.server}.crt" />-->    
+      <arg value="--crt" /><arg value="${packages.home}\tomcat\conf\https_cert\fullchain_and_prvtkey.crt" />
+      <arg value="--domains" /><arg value="${https.cert.domains}" />
+      <arg value="--path" /><arg value="${packages.home}\tomcat\webapps\ROOT\.well-known\acme-challenge" />
+      <arg value="--generate-missing" />
+      <arg value="--unlink" />
+      <arg line="--live" /><!-- https://stackoverflow.com/questions/11840284/pass-arguments-to-apache-ant-exec-task-based-on-the-variables-value -->
+      <arg value="--export-pfx" /><arg value="${keystore.pass}" />
+    </exec>  
+
+    <echo>KEYSTORE FILE: ${keystore.file}</echo>
+    
+    <!-- stop the tomcat running on port 80 -->
+    <antcall target="stop">
+        <param name="tomcat.port.http" value="80"/>
+        <param name="internal.tomcat.port" value="80"/>
+        <param name="http.comment.out.start" value=""/>
+        <param name="http.comment.out.end" value=""/>
+        <param name="https.comment.out.start" value="${comment.start}"/>
+        <param name="https.comment.out.end" value="${comment.end}"/>
+    </antcall>
+    
+    
+  </target>
+  
+  <target name="setup-https-cert-linux">
       <!-- Running as
        ./certbot-auto certonly ==standalone ==preferred-challenges http ==email EMAIL -d DOMAINS 
@@ -1777 +1859 @@
       <copy todir="${packages.home}/tomcat/conf/https_cert">
     <fileset file="/tmp/${tomcat.server}_fullchain_and_key.p12"/>
-    <globmapper from="${tomcat.server}_fullchain_and_key.p12" to="fullchain_and_prvtkey.p12"/>
+    <globmapper from="${tomcat.server}_fullchain_and_key.p12" to="${keystore.file}"/>
       </copy>
 
       <exec executable="sudo" dir="/tmp" failonerror="true">
-    <arg line="rm -f /tmp/${tomcat.server}_fullchain_and_key.p12" />
-      </exec>      
+        <arg line="rm -f /tmp/${tomcat.server}_fullchain_and_key.p12" />
+      </exec>
       
-    </else>
-  </if>
-
   </target>
 
@@ -1876 +1955 @@
     <filter token="tomcat.port.https" value="${tomcat.port.https}"/>
     <!--<filter token="keystore.file" value="${packages.home}/tomcat/conf/https_cert/${tomcat.server}.jks" />-->
-    <filter token="keystore.file" value="${packages.home}/tomcat/conf/https_cert/fullchain_and_prvtkey.p12" />
+    <!--ON UNIX: <filter token="keystore.file" value="${packages.home}/tomcat/conf/https_cert/fullchain_and_prvtkey.p12" />-->
+    <!--ON WINDOWS: <filter token="keystore.file" value="conf/https_cert/fullchain_and_prvtkey.pfx" />-->
+    <filter token="keystore.file" value="conf/https_cert/${keystore.file}" />
     <!-- tomcat Connector's keystoreType param defaults to JKS (Java keystore), see https://tomcat.apache.org/tomcat-7.0-doc/config/http.html
     We'll follow the instructions at https://community.letsencrypt.org/t/using-lets-encrypt-with-tomcat/41082,