Show
Ignore:
Timestamp:
21.09.2018 20:17:12 (13 months ago)
Author:
ak19
Message:

On Windows, we're now also using openSSL to convert the certificate to .pfx instead of letting the windows ZeroSSL binary do that for us (for added security again, as we don't want to trust a 3rd party with the private key included in the certificate). I forgot but we were already using openSSL on Linux to convert the certificate to p12, because the certbot-auto did not do that step for us like zeroSSl did.

Files:
1 modified

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone3/build.xml

    r32477 r32478  
    17961796      <arg value="--unlink" /> 
    17971797      <arg line="${https.testing}" /><!-- minus-minus-live if not testing, empty if testing. https://stackoverflow.com/questions/11840284/pass-arguments-to-apache-ant-exec-task-based-on-the-variables-value --> 
    1798       <arg value="--export-pfx" /><arg value="${keystore.pass}" /> 
     1798      <!--<arg value="==export-pfx" /><arg value="${keystore.pass}" /> 
     1799      <arg value="==tag-pfx" /><arg value="greenstone3-tomcat" />--><!--Convert the certificate (that contains the full chain AND private key) to pfx format hereafter using OpenSSL instead--> 
    17991800      <arg line="${https.cert.renewal}" /><!-- rewew command on windows appends min-min-renew XX, where if the day the renewal is run is XX days within expiry, the certificate will get renewed. --> 
    18001801    </exec> 
     
    18091810        <param name="https.comment.out.end" value="${comment.end}"/> 
    18101811    </antcall> 
     1812     
     1813    <!-- Use OpenSSL instead of ZeroSSL to convert the certificate to the .pfx format that tomcat likes, using this cmd: 
     1814            GS3/bin/windows/openssl/bin/openssl.exe pkcs12 -inkey domain.key -in domain.crt -passin pass:pwd -passout pass:pwd -export -out ${keystore.file} 
     1815            GS3/bin/windows/openssl/bin/openssl.exe pkcs12 -inkey domain.key -in domain.crt -password pass:pwd -export -out ${keystore.file} 
     1816        where on windows, keystore.file = fullchain_and_prvtkey.pfx 
     1817    --> 
     1818    <exec executable="cmd" osfamily="windows" dir="${basedir}/bin/${os.bin.dir}/openssl/bin" spawn="false"> 
     1819      <arg value="/c" /> 
     1820      <arg value="openssl.exe" /> 
     1821      <arg value="pkcs12" /> 
     1822      <arg value="-inkey" /><arg value="${packages.home}\tomcat\conf\https_cert\${tomcat.server}.key" /> 
     1823      <arg value="-in" /><arg value="${packages.home}\tomcat\conf\https_cert\fullchain_and_prvtkey.crt" /> 
     1824      <arg value="-export" /> 
     1825      <arg value="-out" /><arg value="${packages.home}\tomcat\conf\https_cert\${keystore.file}" /> 
     1826      <arg value="-name"/><arg value="greenstone3-tomcat"/><!-- See https://stackoverflow.com/questions/808669/convert-a-cert-pem-certificate-to-a-pfx-certificate --> 
     1827      <arg value="-password"/><arg value="pass:${keystore.pass}"/> 
     1828    </exec> 
    18111829     
    18121830  </target> 
     
    18511869    <arg value="-in"/><arg value="/etc/letsencrypt/live/${tomcat.server}/fullchain.pem"/> 
    18521870    <arg value="-inkey"/><arg value="/etc/letsencrypt/live/${tomcat.server}/privkey.pem"/> 
    1853     <arg value="-name"/><arg value="tomcat"/> 
     1871    <arg value="-name"/><arg value="greenstone3-tomcat"/> 
    18541872    <arg value="-password"/><arg value="pass:${keystore.pass}"/> 
    18551873      </exec>