Changeset 32424

Show
Ignore:
Timestamp:
03.09.2018 18:34:55 (12 months ago)
Author:
ak19
Message:

Cosmetic. Now that the https cert automation targets are all more or less in place for both linux and windows, I've shifted about these targets for better code legibility

Files:
1 modified

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone3/build.xml

    r32423 r32424  
    16311631 
    16321632  <!-- ============ Targets concerned with https certification ================ --> 
    1633   <!-- Renewing existing https certificate 
    1634        https://certbot.eff.org/docs/using.html#renewing-certificates  
    1635        ./path/to/GS3/bin/linux/certbot-auto renew ==quiet ==no-self-upgrade 
    1636   --> 
    1637   <target name="renew-existing-https-cert"> 
    1638     <echo> 
    1639       NOTE: To run this target, 
    1640       * ensure nothing is running on port 80. 
    1641       * if you're on Linux, you need to have sudo permissions. Enter the sudo password if prompted.       
    1642  
    1643       If you want your cronjob to renew a certificate, you can add pre and post hooks 
    1644       refer to https://certbot.eff.org/docs/using.html#renewing-certificates  
    1645       For more information run: 
    1646          ./path/to/GS3/bin/linux/certbot-auto --help renew 
    1647     </echo> 
    1648     <exec executable="./certbot-auto" osfamily="unix" dir="${basedir}/bin/${os.bin.dir}" failonerror="true"> 
    1649      <arg value="renew"/> 
    1650      <arg value="--quiet"/> 
    1651      <arg value="--no-self-upgrade"/> 
    1652     </exec> 
    1653      
    1654     <!-- For rewewal on Windows, need to re-run the original (issuance) command and append "min-min-renew XX" to it, 
    1655         where if it's within XX days of expiry, the certificate will get renewed. 
    1656         See https://zerossl.com/usage.html#Certificate_renewal --> 
    1657     <if><bool><istrue value="${current.os.iswindows}"/></bool> 
    1658              
    1659         <input addproperty="https.other.domains">Enter a comma separated list of additional domains besides tomcat.server=${tomcat.server} that you registered on issuance, if any</input> 
    1660         <condition property="https.cert.domains" value="${tomcat.server},${https.other.domains}" else="${tomcat.server}"> 
    1661             <and> 
    1662               <isset property="https.other.domains" /> 
    1663               <not><matches string="${https.other.domains}" pattern="^\s*$"/></not> 
    1664             </and> 
    1665         </condition> 
    1666         <antcall target="setup-https-cert-windows"> 
    1667             <param name="https.cert.renewal" value="--renew 10"/>            
    1668         </antcall> 
    1669     </if> 
    1670   </target> 
    1671  
    1672   <!-- Revoke the certificate and remove it, including folders. 
    1673        See https://certbot.eff.org/docs/using.html#revoking-certificates 
    1674        which also states "if a certificate is a test certificate obtained via the 
    1675        ==staging or ==test-cert flag, that flag must be passed to the revoke subcommand." 
    1676   --> 
    1677   <target name="remove-https-cert" depends="check-os-for-https-cert-support"> 
    1678     <echo> 
    1679       NOTE: If you're on Linux, you need to have sudo permissions to execute this target. 
    1680       Enter the sudo password if prompted. 
    1681     </echo> 
    1682     <!-- 
    1683     On linux, we use certbot-auto. 
    1684     It says at https://github.com/certbot/certbot/issues/1741 
    1685     "you shouldn't run letsencrypt-auto [now called certbot-auto] as superuser, 
    1686     because the program will invoke sudo when it needs to automatically."    
    1687     We need to send Y(es) as inputstring to confirm that the 
    1688     /etc/letsencrypt/live/${tomcat.server} folder can be deleted. 
    1689     Note osfamily="unix" is separate from osfamily="mac", which comes out handy here as we haven't set up certbot-auto for mac (yet). 
    1690     --> 
    1691     <exec executable="./certbot-auto" osfamily="unix" dir="${basedir}/bin/${os.bin.dir}" failonerror="true" inputstring="Y"> 
    1692      <arg value="revoke"/> 
    1693      <arg line="${https.testing}"/> 
    1694      <arg value="--cert-path"/><arg value="/etc/letsencrypt/live/${tomcat.server}/cert.pem"/> 
    1695     </exec> 
    1696     <!-- The above command already deletes the folder when Y(es) was passed in. Explicitly deleting: 
    1697     <exec executable="./certbot-auto" dir="${basedir}/bin/${os.bin.dir}" failonerror="true"> 
    1698     <arg value="delete"/> 
    1699     <arg value="==cert-name"/><arg value="${tomcat.server}"/> 
    1700     </exec> 
    1701     --> 
    1702      
    1703     <!-- On Windows, we use zeroSSl. For the revoke command, see https://zerossl.com/usage.html#Certificate_revocation --> 
    1704     <exec executable="cmd" osfamily="windows" dir="${basedir}/bin/${os.bin.dir}" spawn="false"> 
    1705       <arg value="/c" /> 
    1706       <arg value="le${os.bitness}" />      
    1707       <arg value="--key" /><arg value="${packages.home}\tomcat\conf\https_cert\privkey.key" /> 
    1708       <arg value="--crt" /><arg value="${packages.home}\tomcat\conf\https_cert\fullchain_and_prvtkey.crt"/> 
    1709       <arg value="--revoke"/> 
    1710       <arg line="${https.testing}"/> 
    1711     </exec> 
    1712      
    1713     <!-- And remove the https_cert folder --> 
    1714     <delete dir="${packages.home}/tomcat/conf/https_cert"/> 
    1715   </target> 
    17161633 
    17171634  <target name="check-os-for-https-cert-support"> 
     
    17231640    </if>    
    17241641  </target> 
     1642   
    17251643   
    17261644  <target name="setup-https-cert-info"> 
     
    17381656    </echo> 
    17391657  </target> 
     1658   
    17401659 
    17411660  <target name="https-conditions-set"> 
     
    17601679    <fail if="quit.https.setup">https certification step aborted by user. Please edit build.properties to set server.protocol=http and comment out tomcat.port.https.</fail> 
    17611680  </target> 
     1681   
    17621682 
    17631683  <target name="setup-https-cert" depends="check-os-for-https-cert-support,setup-https-cert-info,https-conditions-set"> 
     
    17991719   
    18001720  </target> 
     1721   
    18011722   
    18021723  <target name="setup-https-cert-windows"> 
     
    18631784  </target> 
    18641785   
     1786   
    18651787  <target name="setup-https-cert-linux"> 
    18661788      <!-- Running as 
     
    19231845      </exec> 
    19241846       
     1847  </target> 
     1848   
     1849   
     1850  <!-- Revoke the certificate and remove it, including folders. 
     1851       See https://certbot.eff.org/docs/using.html#revoking-certificates 
     1852       which also states "if a certificate is a test certificate obtained via the 
     1853       ==staging or ==test-cert flag, that flag must be passed to the revoke subcommand." 
     1854  --> 
     1855  <target name="remove-https-cert" depends="check-os-for-https-cert-support"> 
     1856    <echo> 
     1857      NOTE: If you're on Linux, you need to have sudo permissions to execute this target. 
     1858      Enter the sudo password if prompted. 
     1859    </echo> 
     1860    <!-- 
     1861    On linux, we use certbot-auto. 
     1862    It says at https://github.com/certbot/certbot/issues/1741 
     1863    "you shouldn't run letsencrypt-auto [now called certbot-auto] as superuser, 
     1864    because the program will invoke sudo when it needs to automatically."    
     1865    We need to send Y(es) as inputstring to confirm that the 
     1866    /etc/letsencrypt/live/${tomcat.server} folder can be deleted. 
     1867    Note osfamily="unix" is separate from osfamily="mac", which comes out handy here as we haven't set up certbot-auto for mac (yet). 
     1868    --> 
     1869    <exec executable="./certbot-auto" osfamily="unix" dir="${basedir}/bin/${os.bin.dir}" failonerror="true" inputstring="Y"> 
     1870     <arg value="revoke"/> 
     1871     <arg line="${https.testing}"/> 
     1872     <arg value="--cert-path"/><arg value="/etc/letsencrypt/live/${tomcat.server}/cert.pem"/> 
     1873    </exec> 
     1874    <!-- The above command already deletes the folder when Y(es) was passed in. Explicitly deleting: 
     1875    <exec executable="./certbot-auto" dir="${basedir}/bin/${os.bin.dir}" failonerror="true"> 
     1876    <arg value="delete"/> 
     1877    <arg value="==cert-name"/><arg value="${tomcat.server}"/> 
     1878    </exec> 
     1879    --> 
     1880     
     1881    <!-- On Windows, we use zeroSSl. For the revoke command, see https://zerossl.com/usage.html#Certificate_revocation --> 
     1882    <exec executable="cmd" osfamily="windows" dir="${basedir}/bin/${os.bin.dir}" spawn="false"> 
     1883      <arg value="/c" /> 
     1884      <arg value="le${os.bitness}" />      
     1885      <arg value="--key" /><arg value="${packages.home}\tomcat\conf\https_cert\privkey.key" /> 
     1886      <arg value="--crt" /><arg value="${packages.home}\tomcat\conf\https_cert\fullchain_and_prvtkey.crt"/> 
     1887      <arg value="--revoke"/> 
     1888      <arg line="${https.testing}"/> 
     1889    </exec> 
     1890     
     1891    <!-- And remove the https_cert folder --> 
     1892    <delete dir="${packages.home}/tomcat/conf/https_cert"/> 
     1893  </target> 
     1894   
     1895   
     1896    <!-- Renewing existing https certificate 
     1897       Linux: 
     1898       https://certbot.eff.org/docs/using.html#renewing-certificates  
     1899       ./path/to/GS3/bin/linux/certbot-auto renew ==quiet ==no-self-upgrade 
     1900       Windows: reuse Windows issuance target 
     1901       see https://zerossl.com/usage.html#Certificate_renewal  
     1902    --> 
     1903  <target name="renew-existing-https-cert"> 
     1904    <echo> 
     1905      NOTE: To run this target, 
     1906      * ensure nothing is running on port 80. 
     1907      * if you're on Linux, you need to have sudo permissions. Enter the sudo password if prompted.       
     1908 
     1909      If you want your cronjob to renew a certificate, you can add pre and post hooks 
     1910      refer to https://certbot.eff.org/docs/using.html#renewing-certificates  
     1911      For more information run: 
     1912         ./path/to/GS3/bin/linux/certbot-auto --help renew 
     1913    </echo> 
     1914    <exec executable="./certbot-auto" osfamily="unix" dir="${basedir}/bin/${os.bin.dir}" failonerror="true"> 
     1915     <arg value="renew"/> 
     1916     <arg value="--quiet"/> 
     1917     <arg value="--no-self-upgrade"/> 
     1918    </exec> 
     1919     
     1920    <!-- For rewewal on Windows, need to re-run the original (issuance) command and append "min-min-renew XX" to it, 
     1921        where if it's within XX days of expiry, the certificate will get renewed. 
     1922        See https://zerossl.com/usage.html#Certificate_renewal --> 
     1923    <if><bool><istrue value="${current.os.iswindows}"/></bool> 
     1924             
     1925        <input addproperty="https.other.domains">Enter a comma separated list of additional domains besides tomcat.server=${tomcat.server} that you registered on issuance, if any</input> 
     1926        <condition property="https.cert.domains" value="${tomcat.server},${https.other.domains}" else="${tomcat.server}"> 
     1927            <and> 
     1928              <isset property="https.other.domains" /> 
     1929              <not><matches string="${https.other.domains}" pattern="^\s*$"/></not> 
     1930            </and> 
     1931        </condition> 
     1932        <antcall target="setup-https-cert-windows"> 
     1933            <param name="https.cert.renewal" value="--renew 10"/>            
     1934        </antcall> 
     1935    </if> 
    19251936  </target> 
    19261937