Changeset 32482
- Timestamp:
- 2018-09-24T20:27:00+12:00 (6 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
main/trunk/greenstone3/build.xml
r32478 r32482 68 68 --> 69 69 <property name="https.test.mode" value="false"/> 70 <property name="sudo.or.not" value="/bin/bash"/><!-- by default, we don't run even special commands with sudo --> 70 71 71 72 <property name="os.linux" value="Linux"/> … … 263 264 264 265 <!-- On linux, if testing https certification, pass in minus-minus-staging. If not testing on linux, nothing extra to pass in. 265 On windows, if testing https certification, nothing extra to pass in. If not testing on windows, pass in minus-minus-live. 266 No https certification automation (yet) for macs. 266 On windows or mac, if testing https certification, nothing extra to pass in. If not testing on windows or mac, pass in minus-minus-live. 267 267 --> 268 268 <if><bool><istrue value="${current.os.isunixnotmac}"/></bool> … … 271 271 </condition> 272 272 </if> 273 <if><bool>< istrue value="${current.os.iswindows}"/></bool>273 <if><bool><or><istrue value="${current.os.iswindows}"/><istrue value="${current.os.ismac}"/></or></bool> 274 274 <condition property="https.testing" value="--live" else=""> 275 275 <isfalse value="${https.test.mode}"/> … … 1633 1633 <target name="check-os-for-https-cert-support"> 1634 1634 <if><bool><isset property="current.os.ismac"/></bool> 1635 < fail>1635 <echo> 1636 1636 Features that automate generating, removing and renewing HTTPS certificates 1637 are currently not supported on Macs, only on other Unix systems and on Windows.1638 </ fail>1637 are currently still being implemented on Macs. 1638 </echo> 1639 1639 </if> 1640 1640 </target> … … 1661 1661 To run this target, ensure you have: 1662 1662 * (if on unix) sudo permissions. Enter the sudo password if prompted. 1663 1663 * (if on windows) sufficient privileges to run the included tomcat on port 80. 1664 1664 * nothing running on port 80 when you run this target 1665 1665 * edited the build.properties file with 1666 1666 - tomcat.server set to the/a domain name of your server 1667 - server.protocols list set to contain at least 'https' if not also http (the first in this comma-separatedlist will be the default protocol)1667 - server.protocols comma-separated list set to contain at least 'https' if not also http (the first in this list will be the default protocol) 1668 1668 - tomcat.port.https set to a valid port number not yet in use 1669 1669 - keystore.pass set to a password for the certification process … … 1713 1713 <if><bool><istrue value="${current.os.isunixnotmac}"/></bool> 1714 1714 <antcall target="setup-https-cert-linux"/> 1715 </if> 1716 <if><bool><istrue value="${current.os.ismac}"/></bool> 1717 <antcall target="setup-https-cert-mac"/> 1715 1718 </if> 1716 1719 </else> … … 1798 1801 <!--<arg value="==export-pfx" /><arg value="${keystore.pass}" /> 1799 1802 <arg value="==tag-pfx" /><arg value="greenstone3-tomcat" />--><!--Convert the certificate (that contains the full chain AND private key) to pfx format hereafter using OpenSSL instead--> 1800 <arg line="${https.cert.renewal}" /><!-- re wew command on windowsappends min-min-renew XX, where if the day the renewal is run is XX days within expiry, the certificate will get renewed. -->1801 </exec> 1802 1803 <arg line="${https.cert.renewal}" /><!-- renew command on windows/mac appends min-min-renew XX, where if the day the renewal is run is XX days within expiry, the certificate will get renewed. --> 1804 </exec> 1805 1803 1806 <!-- stop the tomcat running on port 80 --> 1804 1807 <antcall target="stop"> … … 1810 1813 <param name="https.comment.out.end" value="${comment.end}"/> 1811 1814 </antcall> 1812 1815 1813 1816 <!-- Use OpenSSL instead of ZeroSSL to convert the certificate to the .pfx format that tomcat likes, using this cmd: 1814 1817 GS3/bin/windows/openssl/bin/openssl.exe pkcs12 -inkey domain.key -in domain.crt -passin pass:pwd -passout pass:pwd -export -out ${keystore.file} … … 1830 1833 </target> 1831 1834 1835 <target name="setup-https-cert-mac"> 1836 1837 <echo>********** The included tomcat will be stopped, then restarted on port 80 and stopped again</echo> 1838 1839 <!-- create folder packages\tomcat\webapps\ROOT\.well-known\acme-challenge --> 1840 <mkdir dir="${packages.home}/tomcat/webapps/ROOT/.well-known/acme-challenge"/> 1841 <mkdir dir="${packages.home}/tomcat/conf/https_cert"/> 1842 1843 <!-- 1844 See comments under setup-https-cert-WINDOWS 1845 --> 1846 <!-- We generate the account key named "privkey.key" in ${packages.home}\tomcat\conf\https_cert --> 1847 <if><bool><not><available file="${packages.home}/tomcat/conf/https_cert/privkey.key"/></not></bool> 1848 <exec executable="openssl" osfamily="mac" dir="${basedir}/bin/${os.bin.dir}/openssl/bin" spawn="false"> 1849 <arg value="genrsa" /> 1850 <arg value="-out" /><arg value="${packages.home}/tomcat/conf/https_cert/privkey.key" /><arg value="4096" /> 1851 </exec> 1852 </if> 1853 1854 <!-- Also generate the domain key (for csr-key parameter to zeroSSL's le.pl) 1855 ${packages.home}\tomcat\conf\https_cert\${tomcat.server}.key 1856 Using 2048 instead of 4096 bits for this. See https://zerossl.com/usage.html#First_time_run_and_regular_use 1857 --> 1858 <if><bool><not><available file="${packages.home}/tomcat/conf/https_cert/${tomcat.server}.key"/></not></bool> 1859 <exec executable="openssl" osfamily="mac" dir="${basedir}/bin/${os.bin.dir}/openssl/bin" spawn="false"> 1860 <arg value="genrsa" /> 1861 <arg value="-out" /><arg value="${packages.home}/tomcat/conf/https_cert/${tomcat.server}.key" /><arg value="2048" /> 1862 </exec> 1863 </if> 1864 1865 <!-- stop the included tomcat (also stopping derby and solr) --> 1866 <antcall target="stop" /> 1867 1868 <!-- rerun tomcat on port 80 1869 See https://ant.apache.org/manual/Tasks/antcall.html --> 1870 <antcall target="start"> 1871 <param name="sudo.or.not" value="/usr/bin/sudo" /> 1872 <param name="localhost.port.http" value="80"/> 1873 <param name="default.tomcat.port" value="80"/> 1874 <param name="local.http.url" value="http://${localhost.server.http}"/><!-- For port 80 over http, leave out port number in URL --> 1875 <param name="http.address.restriction" value=""/><!-- don't prevent public access over http of port 80 --> 1876 <param name="https.comment.out.start" value="${comment.start}"/> 1877 <param name="https.comment.out.end" value="${comment.end}"/> 1878 </antcall> 1879 1880 <!-- get the certificate: use zerossl's le.pl compiled up for Mac. 1881 For further notes, see under setup-https-cert-WINDOWS 1882 --> 1883 1884 <exec executable="perl" osfamily="mac" dir="${gs2build.home}/perllib/cpan/Crypt/LE/bin" spawn="false"> 1885 <env key="PERL5LIB" value="${gs2build.home}/perllib/cpan${path.separator}${gs2build.home}/perllib/cpan/perl-5.18"/> 1886 <arg value="-S" /> 1887 <arg value="${gs2build.home}/perllib/cpan/Crypt/LE/bin/le.pl" /> 1888 <arg value="--key" /><arg value="${packages.home}/tomcat/conf/https_cert/privkey.key" /> 1889 <arg value="--csr" /><arg value="${packages.home}/tomcat/conf/https_cert/${tomcat.server}.csr" /> 1890 <arg value="--csr-key" /><arg value="${packages.home}/tomcat/conf/https_cert/${tomcat.server}.key" /> 1891 <!--<arg value="==crt" /><arg value="${packages.home}/tomcat/conf/https_cert/${tomcat.server}.crt" />--> 1892 <arg value="--crt" /><arg value="${packages.home}/tomcat/conf/https_cert/fullchain_and_prvtkey.crt" /> 1893 <arg value="--domains" /><arg value="${https.cert.domains}" /> 1894 <arg value="--path" /><arg value="${packages.home}/tomcat/webapps/ROOT/.well-known/acme-challenge" /> 1895 <arg value="--generate-missing" /> 1896 <arg value="--unlink" /> 1897 <arg line="${https.testing}" /><!-- minus-minus-live if not testing, empty if testing. https://stackoverflow.com/questions/11840284/pass-arguments-to-apache-ant-exec-task-based-on-the-variables-value --> 1898 <!--<arg value="==export-pfx" /><arg value="${keystore.pass}" /> 1899 <arg value="==tag-pfx" /><arg value="greenstone3-tomcat" />--><!-- not sure if this generates a keystore filename with ext .p12 or .pfx for Macs --> 1900 <arg line="${https.cert.renewal}" /><!-- renew command on windows/mac appends min-min-renew XX, where if the day the renewal is run is XX days within expiry, the certificate will get renewed. --> 1901 </exec> 1902 1903 <!-- need regular user permissions on both the Certificate Signing Request file and the certicate, 1904 so as user, we copy the files from /tmp where they were generated as root to user location --> 1905 <!--<copy file="/tmp/${tomcat.server}.csr" tofile="${packages.home}/tomcat/conf/https_cert/${tomcat.server}.csr"/> 1906 <copy file="/tmp/fullchain_and_prvtkey.crt" tofile="${packages.home}/tomcat/conf/https_cert/fullchain_and_prvtkey.crt"/>--> 1907 1908 <!-- stop the tomcat running on port 80 --> 1909 <antcall target="stop"> 1910 <param name="sudo.or.not" value="/usr/bin/sudo" /> 1911 <param name="localhost.port.http" value="80"/> 1912 <param name="default.tomcat.port" value="80"/> 1913 <param name="local.http.url" value="http://${localhost.server.http}"/> 1914 <param name="http.address.restriction" value=""/> 1915 <param name="https.comment.out.start" value="${comment.start}"/> 1916 <param name="https.comment.out.end" value="${comment.end}"/> 1917 </antcall> 1918 1919 <!-- Use OpenSSL instead of ZeroSSL to convert the certificate to the .pfx format that tomcat likes, using this cmd: 1920 GS3/bin/windows/openssl/bin/openssl.exe pkcs12 -inkey domain.key -in domain.crt -passin pass:pwd -passout pass:pwd -export -out ${keystore.file} 1921 GS3/bin/windows/openssl/bin/openssl.exe pkcs12 -inkey domain.key -in domain.crt -password pass:pwd -export -out ${keystore.file} 1922 where on windows, keystore.file = fullchain_and_prvtkey.pfx 1923 --> 1924 <exec executable="openssl" osfamily="mac" dir="${basedir}/bin/${os.bin.dir}/openssl/bin" spawn="false"> 1925 <arg value="pkcs12" /> 1926 <arg value="-inkey" /><arg value="${packages.home}/tomcat/conf/https_cert/${tomcat.server}.key" /> 1927 <arg value="-in" /><arg value="${packages.home}/tomcat/conf/https_cert/fullchain_and_prvtkey.crt" /> 1928 <arg value="-export" /> 1929 <arg value="-out" /><arg value="${packages.home}/tomcat/conf/https_cert/${keystore.file}" /> 1930 <arg value="-name"/><arg value="greenstone3-tomcat"/><!-- See https://stackoverflow.com/questions/808669/convert-a-cert-pem-certificate-to-a-pfx-certificate --> 1931 <arg value="-password"/><arg value="pass:${keystore.pass}"/> 1932 </exec> 1933 1934 </target> 1935 1936 1832 1937 1833 1938 <target name="setup-https-cert-linux"> … … 1914 2019 Note osfamily="unix" is separate from osfamily="mac", which comes out handy here as we haven't set up certbot-auto for mac (yet). 1915 2020 --> 1916 <exec executable="./certbot-auto" os family="unix" dir="${basedir}/bin/${os.bin.dir}" failonerror="true" inputstring="Y">2021 <exec executable="./certbot-auto" os="${os.linux},${os.solaris}" dir="${basedir}/bin/${os.bin.dir}" failonerror="true" inputstring="Y"> 1917 2022 <arg value="revoke"/> 1918 2023 <arg line="${https.testing}"/> … … 1926 2031 --> 1927 2032 1928 <!-- On Windows, we use zeroSSl. For the revoke command, see https://zerossl.com/usage.html#Certificate_revocation -->1929 2033 <!-- On Windows and Mac, we use zeroSSl. For the revoke command, see https://zerossl.com/usage.html#Certificate_revocation --> 2034 <exec executable="cmd" osfamily="windows" dir="${basedir}/bin/${os.bin.dir}" spawn="false"> 1930 2035 <arg value="/c" /> 1931 1932 2036 <arg value="le${os.bitness}" /> 2037 <arg value="--key" /><arg value="${packages.home}\tomcat\conf\https_cert\privkey.key" /> 1933 2038 <arg value="--crt" /><arg value="${packages.home}\tomcat\conf\https_cert\fullchain_and_prvtkey.crt"/> 1934 1935 1936 2039 <arg value="--revoke"/> 2040 <arg line="${https.testing}"/> 2041 </exec> 1937 2042 2043 <!-- On Mac, we use the le.pl we compiled up (Crypt::LE) and which needs to have PERL5LIB set correctly to run --> 2044 <exec executable="perl" osfamily="mac" dir="${gs2build.home}/perllib/cpan/Crypt/LE/bin" spawn="false"> 2045 <env key="PERL5LIB" value="${gs2build.home}/perllib/cpan${path.separator}${gs2build.home}/perllib/cpan/perl-5.18"/> 2046 <arg value="-S" /> 2047 <arg value="${gs2build.home}/perllib/cpan/Crypt/LE/bin/le.pl" /> 2048 <arg value="--key" /><arg value="${packages.home}/tomcat/conf/https_cert/privkey.key" /> 2049 <arg value="--crt" /><arg value="${packages.home}/tomcat/conf/https_cert/fullchain_and_prvtkey.crt"/> 2050 <arg value="--revoke"/> 2051 <arg line="${https.testing}"/> 2052 </exec> 2053 1938 2054 <!-- And remove the https_cert folder --> 1939 2055 <delete dir="${packages.home}/tomcat/conf/https_cert"/> … … 1951 2067 <echo> 1952 2068 NOTE: To run this target, 1953 * ensure nothing is running on port 80. 1954 * if you're on Linux, you need to have sudo permissions. Enter the sudo password if prompted.2069 * ensure nothing is running on port 80 2070 * if you're on Linux or Mac, you need to have sudo permissions. Enter the sudo password if prompted. 1955 2071 1956 2072 If you want your cronjob to renew a certificate, you can add pre and post hooks … … 1959 2075 ./path/to/GS3/bin/linux/certbot-auto --help renew 1960 2076 </echo> 1961 <exec executable="./certbot-auto" os family="unix" dir="${basedir}/bin/${os.bin.dir}" failonerror="true">2077 <exec executable="./certbot-auto" os="${os.linux},${os.solaris}" dir="${basedir}/bin/${os.bin.dir}" failonerror="true"> 1962 2078 <arg value="renew"/> 1963 2079 <arg value="--quiet"/> … … 1965 2081 </exec> 1966 2082 1967 <!-- For rewewal on Windows, need to re-run the original (issuance) command and append "min-min-renew XX" to it, 1968 where if it's within XX days of expiry, the certificate will get renewed. 1969 See https://zerossl.com/usage.html#Certificate_renewal --> 1970 <if><bool><istrue value="${current.os.iswindows}"/></bool> 1971 1972 <input addproperty="https.other.domains">Enter a comma separated list of additional domains besides tomcat.server=${tomcat.server} that you registered on issuance, if any</input> 1973 <condition property="https.cert.domains" value="${tomcat.server},${https.other.domains}" else="${tomcat.server}"> 1974 <and> 1975 <isset property="https.other.domains" /> 1976 <not><matches string="${https.other.domains}" pattern="^\s*$"/></not> 1977 </and> 1978 </condition> 1979 <antcall target="setup-https-cert-windows"> 1980 <param name="https.cert.renewal" value="--renew 10"/> 1981 </antcall> 1982 </if> 2083 <!-- For renewal on Windows or Mac, we use ZeroSSL as intermediary between GS3 and Let's Encrypt. 2084 And when using ZeroSSL we need to re-run the original (issuance) command and append "min-min-renew XX" to it, 2085 where if it's within XX days of expiry, the certificate will get renewed. 2086 See https://zerossl.com/usage.html#Certificate_renewal --> 2087 <if><bool><or> 2088 <istrue value="${current.os.iswindows}"/> 2089 <istrue value="${current.os.ismac}"/> 2090 </or></bool> 2091 2092 <input addproperty="https.other.domains">Enter a comma separated list of additional domains besides tomcat.server=${tomcat.server} that you registered on issuance, if any</input> 2093 <condition property="https.cert.domains" value="${tomcat.server},${https.other.domains}" else="${tomcat.server}"> 2094 <and> 2095 <isset property="https.other.domains" /> 2096 <not><matches string="${https.other.domains}" pattern="^\s*$"/></not> 2097 </and> 2098 </condition> 2099 <if><bool><istrue value="${current.os.iswindows}"/></bool> 2100 <antcall target="setup-https-cert-windows"> 2101 <param name="https.cert.renewal" value="--renew 10"/> 2102 </antcall> 2103 <else> 2104 <antcall target="setup-https-cert-mac"> 2105 <param name="https.cert.renewal" value="--renew 10"/> 2106 </antcall> 2107 </else> 2108 </if> 2109 </if> 1983 2110 </target> 1984 2111 … … 2252 2379 see http://ant-contrib.sourceforge.net/tasks/tasks/osfamily.html --> 2253 2380 2254 <exec executable="${catalina.home}/bin/startup.sh" os="${os.unix}" dir="${catalina.home}/bin" spawn="false"> 2381 <!--<exec executable="${catalina.home}/bin/startup.sh" os="${os.unix}" dir="${catalina.home}/bin" spawn="false">--> 2382 <exec executable="${sudo.or.not}" os="${os.unix}" dir="${catalina.home}/bin" spawn="false"> 2255 2383 <!--<env key="GSDLOS" value="linux"/> do we need this?? --> 2256 2384 <env key="GSDL3HOME" value="${basedir}"/> … … 2263 2391 <env key="WNHOME" path="${wn.home}"/> 2264 2392 <env key="FEDORA_HOME" path="${fedora.home}"/> 2393 <arg value="${catalina.home}/bin/startup.sh"/> 2265 2394 </exec> 2266 2395 <exec executable="${catalina.home}/bin/startup.bat" osfamily="windows" dir="${catalina.home}/bin" spawn="true"> … … 2309 2438 stopped as happens when stop-tomcat is called consecutively. --> 2310 2439 <target name="force-stop-tomcat" description="Shutdown only Tomcat" depends="init" if="tomcat.islocal"> 2311 <exec executable="${catalina.home}/bin/shutdown.sh" os="${os.unix}" dir="${catalina.home}/bin" spawn="false"> 2440 <!--<exec executable="${catalina.home}/bin/shutdown.sh" os="${os.unix}" dir="${catalina.home}/bin" spawn="false">--> 2441 <exec executable="${sudo.or.not}" os="${os.unix}" dir="${catalina.home}/bin" spawn="false"> 2312 2442 <env key="FEDORA_HOME" path="${fedora.home}"/> 2313 2443 <env key="CATALINA_HOME" value="${catalina.home}"/> 2444 <arg value="${catalina.home}/bin/shutdown.sh"/> 2314 2445 <arg line=">/dev/null 2>&1"/> 2315 2446 </exec>
Note:
See TracChangeset
for help on using the changeset viewer.