Changeset 32478

Timestamp:

2018-09-21T20:17:12+12:00 (6 years ago)

Author:

ak19

Message:

On Windows, we're now also using openSSL to convert the certificate to .pfx instead of letting the windows ZeroSSL binary do that for us (for added security again, as we don't want to trust a 3rd party with the private key included in the certificate). I forgot but we were already using openSSL on Linux to convert the certificate to p12, because the certbot-auto did not do that step for us like zeroSSl did.

File:

• main/trunk/greenstone3/build.xml (modified) (3 diffs)

main/trunk/greenstone3/build.xml

@@ -1796 +1796 @@
       <arg value="--unlink" />
       <arg line="${https.testing}" /><!-- minus-minus-live if not testing, empty if testing. https://stackoverflow.com/questions/11840284/pass-arguments-to-apache-ant-exec-task-based-on-the-variables-value -->
-      <arg value="--export-pfx" /><arg value="${keystore.pass}" />
+      <!--<arg value="==export-pfx" /><arg value="${keystore.pass}" />
+      <arg value="==tag-pfx" /><arg value="greenstone3-tomcat" />--><!--Convert the certificate (that contains the full chain AND private key) to pfx format hereafter using OpenSSL instead-->
       <arg line="${https.cert.renewal}" /><!-- rewew command on windows appends min-min-renew XX, where if the day the renewal is run is XX days within expiry, the certificate will get renewed. -->
     </exec>
@@ -1809 +1810 @@
         <param name="https.comment.out.end" value="${comment.end}"/>
     </antcall>
+    
+    <!-- Use OpenSSL instead of ZeroSSL to convert the certificate to the .pfx format that tomcat likes, using this cmd:
+            GS3/bin/windows/openssl/bin/openssl.exe pkcs12 -inkey domain.key -in domain.crt -passin pass:pwd -passout pass:pwd -export -out ${keystore.file}
+            GS3/bin/windows/openssl/bin/openssl.exe pkcs12 -inkey domain.key -in domain.crt -password pass:pwd -export -out ${keystore.file}
+        where on windows, keystore.file = fullchain_and_prvtkey.pfx
+    -->
+    <exec executable="cmd" osfamily="windows" dir="${basedir}/bin/${os.bin.dir}/openssl/bin" spawn="false">
+      <arg value="/c" />
+      <arg value="openssl.exe" />
+      <arg value="pkcs12" />
+      <arg value="-inkey" /><arg value="${packages.home}\tomcat\conf\https_cert\${tomcat.server}.key" />
+      <arg value="-in" /><arg value="${packages.home}\tomcat\conf\https_cert\fullchain_and_prvtkey.crt" />
+      <arg value="-export" />
+      <arg value="-out" /><arg value="${packages.home}\tomcat\conf\https_cert\${keystore.file}" />
+      <arg value="-name"/><arg value="greenstone3-tomcat"/><!-- See https://stackoverflow.com/questions/808669/convert-a-cert-pem-certificate-to-a-pfx-certificate -->
+      <arg value="-password"/><arg value="pass:${keystore.pass}"/>
+    </exec>
     
   </target>
@@ -1851 +1869 @@
     <arg value="-in"/><arg value="/etc/letsencrypt/live/${tomcat.server}/fullchain.pem"/>
     <arg value="-inkey"/><arg value="/etc/letsencrypt/live/${tomcat.server}/privkey.pem"/>
-    <arg value="-name"/><arg value="tomcat"/>
+    <arg value="-name"/><arg value="greenstone3-tomcat"/>
     <arg value="-password"/><arg value="pass:${keystore.pass}"/>
       </exec>