Changeset 32477

Show
Ignore:
Timestamp:
21.09.2018 19:08:14 (9 months ago)
Author:
ak19
Message:

HTTPS certification on windows: Using openSSL for generating the account and domain keys, rather than letting zeroSSL do this for us.

Files:
1 modified

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone3/build.xml

    r32465 r32477  
    16461646               NOTE TO OBTAINING A TLS (SSL) CERTIFICATE FOR HTTPS 
    16471647      ********************************************************************* 
    1648       A certificate is needed for your GS server to serve pages over https. 
     1648      A signed certificate is needed for your GS server to serve pages over https. 
    16491649      This target will attempt to obtain a certificate for you from the official and free Certificate Authority Let's Encrypt. 
    1650       However, a certificate can only be obtained if you have sudo permissions on this machine that you're installing Greenstone on. 
     1650      However, a certificate can only be obtained if you have admin/sudo permissions on this machine that you're installing Greenstone on. 
    16511651 
    16521652      Note that: 
     
    17271727    <mkdir dir="${packages.home}/tomcat/webapps/ROOT/.well-known/acme-challenge"/> 
    17281728    <mkdir dir="${packages.home}/tomcat/conf/https_cert"/> 
     1729   
     1730    <!-- 
     1731        For Windows, Greenstone can generate the account and domain keys with the openSSL we compiled up ourselves 
     1732        and put on SVN (at GS3/bin/windows/openssl) rather than let ZeroSSL generate these keys for the user. 
     1733        Letting Greenstone generate the keys may be considered more trustworthy by the user than letting a 3rd 
     1734        party do so. See https://zerossl.com/usage.html#First_time_run_and_regular_use for OpenSSL commands 
     1735        If we don't generate the keys ourselves with our OpenSSL, then ZeroSSL will do so automatically in the 
     1736        call to le64/32.exe further below, as it's passed in the flag generate-missing. 
     1737    --> 
     1738    <!-- We generate the account key named "privkey.key" in ${packages.home}\tomcat\conf\https_cert --> 
     1739    <exec executable="cmd" osfamily="windows" dir="${basedir}/bin/${os.bin.dir}/openssl/bin" spawn="false"> 
     1740      <arg value="/c" /> 
     1741      <arg value="openssl.exe" /> 
     1742      <arg value="genrsa" /> 
     1743      <arg value="-out" /><arg value="${packages.home}\tomcat\conf\https_cert\privkey.key" /><arg value="4096" /> 
     1744    </exec> 
     1745   
     1746    <!-- Also generate the domain key (for csr-key parameter to zeroSSL's le.exe) 
     1747        ${packages.home}\tomcat\conf\https_cert\${tomcat.server}.key 
     1748        Using 2048 instead of 4096 bits for this. See https://zerossl.com/usage.html#First_time_run_and_regular_use 
     1749    --> 
     1750    <exec executable="cmd" osfamily="windows" dir="${basedir}/bin/${os.bin.dir}/openssl/bin" spawn="false"> 
     1751      <arg value="/c" /> 
     1752      <arg value="openssl.exe" /> 
     1753      <arg value="genrsa" /> 
     1754      <arg value="-out" /><arg value="${packages.home}\tomcat\conf\https_cert\${tomcat.server}.key" /><arg value="2048" /> 
     1755    </exec> 
    17291756   
    17301757    <!-- stop the included tomcat (also stopping derby and solr) -->