Changeset 32482 for main

Show
Ignore:
Timestamp:
24.09.2018 20:27:00 (9 months ago)
Author:
ak19
Message:

Automating https certification works on Mac

Files:
1 modified

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone3/build.xml

    r32478 r32482  
    6868  --> 
    6969  <property name="https.test.mode" value="false"/> 
     70  <property name="sudo.or.not" value="/bin/bash"/><!-- by default, we don't run even special commands with sudo --> 
    7071 
    7172  <property name="os.linux" value="Linux"/>  
     
    263264 
    264265    <!-- On linux, if testing https certification, pass in minus-minus-staging. If not testing on linux, nothing extra to pass in. 
    265         On windows, if testing https certification, nothing extra to pass in. If not testing on windows, pass in minus-minus-live. 
    266         No https certification automation (yet) for macs. 
     266         On windows or mac, if testing https certification, nothing extra to pass in. If not testing on windows or mac, pass in minus-minus-live. 
    267267    --> 
    268268    <if><bool><istrue value="${current.os.isunixnotmac}"/></bool>    
     
    271271        </condition> 
    272272    </if> 
    273     <if><bool><istrue value="${current.os.iswindows}"/></bool> 
     273    <if><bool><or><istrue value="${current.os.iswindows}"/><istrue value="${current.os.ismac}"/></or></bool> 
    274274        <condition property="https.testing" value="--live" else=""> 
    275275            <isfalse value="${https.test.mode}"/> 
     
    16331633  <target name="check-os-for-https-cert-support"> 
    16341634    <if><bool><isset property="current.os.ismac"/></bool> 
    1635         <fail> 
     1635        <echo> 
    16361636            Features that automate generating, removing and renewing HTTPS certificates 
    1637             are currently not supported on Macs, only on other Unix systems and on Windows. 
    1638         </fail> 
     1637            are currently still being implemented on Macs. 
     1638        </echo> 
    16391639    </if>    
    16401640  </target> 
     
    16611661      To run this target, ensure you have: 
    16621662      * (if on unix) sudo permissions. Enter the sudo password if prompted. 
    1663       * (if on windows) sufficient privileges to run the included tomcat on port 80. 
     1663      * (if on windows) sufficient privileges to run the included tomcat on port 80. 
    16641664      * nothing running on port 80 when you run this target 
    16651665      * edited the build.properties file with 
    16661666        - tomcat.server set to the/a domain name of your server 
    1667         - server.protocols list set to contain at least 'https' if not also http (the first in this comma-separated list will be the default protocol) 
     1667        - server.protocols comma-separated list set to contain at least 'https' if not also http (the first in this list will be the default protocol) 
    16681668        - tomcat.port.https set to a valid port number not yet in use 
    16691669        - keystore.pass set to a password for the certification process 
     
    17131713        <if><bool><istrue value="${current.os.isunixnotmac}"/></bool> 
    17141714            <antcall target="setup-https-cert-linux"/> 
     1715        </if> 
     1716        <if><bool><istrue value="${current.os.ismac}"/></bool> 
     1717            <antcall target="setup-https-cert-mac"/> 
    17151718        </if> 
    17161719     </else> 
     
    17981801      <!--<arg value="==export-pfx" /><arg value="${keystore.pass}" /> 
    17991802      <arg value="==tag-pfx" /><arg value="greenstone3-tomcat" />--><!--Convert the certificate (that contains the full chain AND private key) to pfx format hereafter using OpenSSL instead--> 
    1800       <arg line="${https.cert.renewal}" /><!-- rewew command on windows appends min-min-renew XX, where if the day the renewal is run is XX days within expiry, the certificate will get renewed. --> 
    1801     </exec> 
    1802      
     1803      <arg line="${https.cert.renewal}" /><!-- renew command on windows/mac appends min-min-renew XX, where if the day the renewal is run is XX days within expiry, the certificate will get renewed. --> 
     1804    </exec> 
     1805 
    18031806    <!-- stop the tomcat running on port 80 --> 
    18041807    <antcall target="stop"> 
     
    18101813        <param name="https.comment.out.end" value="${comment.end}"/> 
    18111814    </antcall> 
    1812      
     1815 
    18131816    <!-- Use OpenSSL instead of ZeroSSL to convert the certificate to the .pfx format that tomcat likes, using this cmd: 
    18141817            GS3/bin/windows/openssl/bin/openssl.exe pkcs12 -inkey domain.key -in domain.crt -passin pass:pwd -passout pass:pwd -export -out ${keystore.file} 
     
    18301833  </target> 
    18311834   
     1835  <target name="setup-https-cert-mac"> 
     1836     
     1837    <echo>********** The included tomcat will be stopped, then restarted on port 80 and stopped again</echo> 
     1838     
     1839    <!-- create folder packages\tomcat\webapps\ROOT\.well-known\acme-challenge --> 
     1840    <mkdir dir="${packages.home}/tomcat/webapps/ROOT/.well-known/acme-challenge"/> 
     1841    <mkdir dir="${packages.home}/tomcat/conf/https_cert"/> 
     1842   
     1843    <!-- 
     1844        See comments under setup-https-cert-WINDOWS 
     1845    --> 
     1846    <!-- We generate the account key named "privkey.key" in ${packages.home}\tomcat\conf\https_cert --> 
     1847    <if><bool><not><available file="${packages.home}/tomcat/conf/https_cert/privkey.key"/></not></bool> 
     1848      <exec executable="openssl" osfamily="mac" dir="${basedir}/bin/${os.bin.dir}/openssl/bin" spawn="false">     
     1849        <arg value="genrsa" /> 
     1850        <arg value="-out" /><arg value="${packages.home}/tomcat/conf/https_cert/privkey.key" /><arg value="4096" /> 
     1851      </exec> 
     1852    </if> 
     1853   
     1854    <!-- Also generate the domain key (for csr-key parameter to zeroSSL's le.pl) 
     1855        ${packages.home}\tomcat\conf\https_cert\${tomcat.server}.key 
     1856        Using 2048 instead of 4096 bits for this. See https://zerossl.com/usage.html#First_time_run_and_regular_use 
     1857    --> 
     1858    <if><bool><not><available file="${packages.home}/tomcat/conf/https_cert/${tomcat.server}.key"/></not></bool> 
     1859      <exec executable="openssl" osfamily="mac" dir="${basedir}/bin/${os.bin.dir}/openssl/bin" spawn="false"> 
     1860        <arg value="genrsa" /> 
     1861        <arg value="-out" /><arg value="${packages.home}/tomcat/conf/https_cert/${tomcat.server}.key" /><arg value="2048" /> 
     1862      </exec> 
     1863    </if> 
     1864   
     1865    <!-- stop the included tomcat (also stopping derby and solr) --> 
     1866    <antcall target="stop" /> 
     1867     
     1868    <!-- rerun tomcat on port 80 
     1869        See https://ant.apache.org/manual/Tasks/antcall.html --> 
     1870    <antcall target="start"> 
     1871      <param name="sudo.or.not" value="/usr/bin/sudo" /> 
     1872        <param name="localhost.port.http" value="80"/> 
     1873        <param name="default.tomcat.port" value="80"/> 
     1874        <param name="local.http.url" value="http://${localhost.server.http}"/><!-- For port 80 over http, leave out port number in URL --> 
     1875        <param name="http.address.restriction" value=""/><!-- don't prevent public access over http of port 80 --> 
     1876        <param name="https.comment.out.start" value="${comment.start}"/> 
     1877        <param name="https.comment.out.end" value="${comment.end}"/> 
     1878    </antcall> 
     1879  
     1880    <!-- get the certificate: use zerossl's le.pl compiled up for Mac. 
     1881       For further notes, see under setup-https-cert-WINDOWS 
     1882    --> 
     1883 
     1884    <exec executable="perl" osfamily="mac" dir="${gs2build.home}/perllib/cpan/Crypt/LE/bin" spawn="false"> 
     1885      <env key="PERL5LIB" value="${gs2build.home}/perllib/cpan${path.separator}${gs2build.home}/perllib/cpan/perl-5.18"/> 
     1886      <arg value="-S" /> 
     1887      <arg value="${gs2build.home}/perllib/cpan/Crypt/LE/bin/le.pl" /> 
     1888      <arg value="--key" /><arg value="${packages.home}/tomcat/conf/https_cert/privkey.key" /> 
     1889      <arg value="--csr" /><arg value="${packages.home}/tomcat/conf/https_cert/${tomcat.server}.csr" /> 
     1890      <arg value="--csr-key" /><arg value="${packages.home}/tomcat/conf/https_cert/${tomcat.server}.key" /> 
     1891      <!--<arg value="==crt" /><arg value="${packages.home}/tomcat/conf/https_cert/${tomcat.server}.crt" />--> 
     1892      <arg value="--crt" /><arg value="${packages.home}/tomcat/conf/https_cert/fullchain_and_prvtkey.crt" /> 
     1893      <arg value="--domains" /><arg value="${https.cert.domains}" /> 
     1894      <arg value="--path" /><arg value="${packages.home}/tomcat/webapps/ROOT/.well-known/acme-challenge" /> 
     1895      <arg value="--generate-missing" /> 
     1896      <arg value="--unlink" /> 
     1897      <arg line="${https.testing}" /><!-- minus-minus-live if not testing, empty if testing. https://stackoverflow.com/questions/11840284/pass-arguments-to-apache-ant-exec-task-based-on-the-variables-value --> 
     1898      <!--<arg value="==export-pfx" /><arg value="${keystore.pass}" /> 
     1899          <arg value="==tag-pfx" /><arg value="greenstone3-tomcat" />--><!-- not sure if this generates a keystore filename with ext .p12 or .pfx for Macs --> 
     1900      <arg line="${https.cert.renewal}" /><!-- renew command on windows/mac appends min-min-renew XX, where if the day the renewal is run is XX days within expiry, the certificate will get renewed. --> 
     1901    </exec> 
     1902 
     1903    <!-- need regular user permissions on both the Certificate Signing Request file and the certicate, 
     1904     so as user, we copy the files from /tmp where they were generated as root to user location --> 
     1905    <!--<copy file="/tmp/${tomcat.server}.csr" tofile="${packages.home}/tomcat/conf/https_cert/${tomcat.server}.csr"/> 
     1906    <copy file="/tmp/fullchain_and_prvtkey.crt" tofile="${packages.home}/tomcat/conf/https_cert/fullchain_and_prvtkey.crt"/>--> 
     1907 
     1908    <!-- stop the tomcat running on port 80 --> 
     1909    <antcall target="stop"> 
     1910      <param name="sudo.or.not" value="/usr/bin/sudo" /> 
     1911        <param name="localhost.port.http" value="80"/> 
     1912        <param name="default.tomcat.port" value="80"/> 
     1913        <param name="local.http.url" value="http://${localhost.server.http}"/> 
     1914        <param name="http.address.restriction" value=""/> 
     1915        <param name="https.comment.out.start" value="${comment.start}"/> 
     1916        <param name="https.comment.out.end" value="${comment.end}"/> 
     1917    </antcall> 
     1918 
     1919    <!-- Use OpenSSL instead of ZeroSSL to convert the certificate to the .pfx format that tomcat likes, using this cmd: 
     1920            GS3/bin/windows/openssl/bin/openssl.exe pkcs12 -inkey domain.key -in domain.crt -passin pass:pwd -passout pass:pwd -export -out ${keystore.file} 
     1921            GS3/bin/windows/openssl/bin/openssl.exe pkcs12 -inkey domain.key -in domain.crt -password pass:pwd -export -out ${keystore.file} 
     1922        where on windows, keystore.file = fullchain_and_prvtkey.pfx 
     1923    --> 
     1924    <exec executable="openssl" osfamily="mac" dir="${basedir}/bin/${os.bin.dir}/openssl/bin" spawn="false"> 
     1925      <arg value="pkcs12" /> 
     1926      <arg value="-inkey" /><arg value="${packages.home}/tomcat/conf/https_cert/${tomcat.server}.key" /> 
     1927      <arg value="-in" /><arg value="${packages.home}/tomcat/conf/https_cert/fullchain_and_prvtkey.crt" /> 
     1928      <arg value="-export" /> 
     1929      <arg value="-out" /><arg value="${packages.home}/tomcat/conf/https_cert/${keystore.file}" /> 
     1930      <arg value="-name"/><arg value="greenstone3-tomcat"/><!-- See https://stackoverflow.com/questions/808669/convert-a-cert-pem-certificate-to-a-pfx-certificate --> 
     1931      <arg value="-password"/><arg value="pass:${keystore.pass}"/> 
     1932    </exec> 
     1933     
     1934  </target> 
     1935   
     1936 
    18321937   
    18331938  <target name="setup-https-cert-linux"> 
     
    19142019    Note osfamily="unix" is separate from osfamily="mac", which comes out handy here as we haven't set up certbot-auto for mac (yet). 
    19152020    --> 
    1916     <exec executable="./certbot-auto" osfamily="unix" dir="${basedir}/bin/${os.bin.dir}" failonerror="true" inputstring="Y"> 
     2021    <exec executable="./certbot-auto" os="${os.linux},${os.solaris}" dir="${basedir}/bin/${os.bin.dir}" failonerror="true" inputstring="Y"> 
    19172022     <arg value="revoke"/> 
    19182023     <arg line="${https.testing}"/> 
     
    19262031    --> 
    19272032     
    1928     <!-- On Windows, we use zeroSSl. For the revoke command, see https://zerossl.com/usage.html#Certificate_revocation --> 
    1929     <exec executable="cmd" osfamily="windows" dir="${basedir}/bin/${os.bin.dir}" spawn="false"> 
     2033    <!-- On Windows and Mac, we use zeroSSl. For the revoke command, see https://zerossl.com/usage.html#Certificate_revocation --> 
     2034    <exec executable="cmd" osfamily="windows" dir="${basedir}/bin/${os.bin.dir}" spawn="false"> 
    19302035      <arg value="/c" /> 
    1931       <arg value="le${os.bitness}" />      
    1932       <arg value="--key" /><arg value="${packages.home}\tomcat\conf\https_cert\privkey.key" /> 
     2036      <arg value="le${os.bitness}" />      
     2037      <arg value="--key" /><arg value="${packages.home}\tomcat\conf\https_cert\privkey.key" /> 
    19332038      <arg value="--crt" /><arg value="${packages.home}\tomcat\conf\https_cert\fullchain_and_prvtkey.crt"/> 
    1934       <arg value="--revoke"/> 
    1935       <arg line="${https.testing}"/> 
    1936     </exec> 
     2039      <arg value="--revoke"/> 
     2040      <arg line="${https.testing}"/> 
     2041    </exec> 
    19372042     
     2043    <!-- On Mac, we use the le.pl we compiled up (Crypt::LE) and which needs to have PERL5LIB set correctly to run -->   
     2044    <exec executable="perl" osfamily="mac" dir="${gs2build.home}/perllib/cpan/Crypt/LE/bin" spawn="false"> 
     2045      <env key="PERL5LIB" value="${gs2build.home}/perllib/cpan${path.separator}${gs2build.home}/perllib/cpan/perl-5.18"/> 
     2046      <arg value="-S" /> 
     2047      <arg value="${gs2build.home}/perllib/cpan/Crypt/LE/bin/le.pl" /> 
     2048      <arg value="--key" /><arg value="${packages.home}/tomcat/conf/https_cert/privkey.key" /> 
     2049      <arg value="--crt" /><arg value="${packages.home}/tomcat/conf/https_cert/fullchain_and_prvtkey.crt"/> 
     2050      <arg value="--revoke"/> 
     2051      <arg line="${https.testing}"/> 
     2052    </exec> 
     2053 
    19382054    <!-- And remove the https_cert folder --> 
    19392055    <delete dir="${packages.home}/tomcat/conf/https_cert"/> 
     
    19512067    <echo> 
    19522068      NOTE: To run this target, 
    1953       * ensure nothing is running on port 80. 
    1954       * if you're on Linux, you need to have sudo permissions. Enter the sudo password if prompted.       
     2069          * ensure nothing is running on port 80 
     2070          * if you're on Linux or Mac, you need to have sudo permissions. Enter the sudo password if prompted.       
    19552071 
    19562072      If you want your cronjob to renew a certificate, you can add pre and post hooks 
     
    19592075         ./path/to/GS3/bin/linux/certbot-auto --help renew 
    19602076    </echo> 
    1961     <exec executable="./certbot-auto" osfamily="unix" dir="${basedir}/bin/${os.bin.dir}" failonerror="true"> 
     2077    <exec executable="./certbot-auto" os="${os.linux},${os.solaris}" dir="${basedir}/bin/${os.bin.dir}" failonerror="true"> 
    19622078     <arg value="renew"/> 
    19632079     <arg value="--quiet"/> 
     
    19652081    </exec> 
    19662082     
    1967     <!-- For rewewal on Windows, need to re-run the original (issuance) command and append "min-min-renew XX" to it, 
    1968         where if it's within XX days of expiry, the certificate will get renewed. 
    1969         See https://zerossl.com/usage.html#Certificate_renewal --> 
    1970     <if><bool><istrue value="${current.os.iswindows}"/></bool> 
    1971              
    1972         <input addproperty="https.other.domains">Enter a comma separated list of additional domains besides tomcat.server=${tomcat.server} that you registered on issuance, if any</input> 
    1973         <condition property="https.cert.domains" value="${tomcat.server},${https.other.domains}" else="${tomcat.server}"> 
    1974             <and> 
    1975               <isset property="https.other.domains" /> 
    1976               <not><matches string="${https.other.domains}" pattern="^\s*$"/></not> 
    1977             </and> 
    1978         </condition> 
    1979         <antcall target="setup-https-cert-windows"> 
    1980             <param name="https.cert.renewal" value="--renew 10"/>            
    1981         </antcall> 
    1982     </if> 
     2083    <!-- For renewal on Windows or Mac, we use ZeroSSL as intermediary between GS3 and Let's Encrypt. 
     2084     And when using ZeroSSL we need to re-run the original (issuance) command and append "min-min-renew XX" to it, 
     2085     where if it's within XX days of expiry, the certificate will get renewed. 
     2086     See https://zerossl.com/usage.html#Certificate_renewal --> 
     2087    <if><bool><or> 
     2088      <istrue value="${current.os.iswindows}"/> 
     2089      <istrue value="${current.os.ismac}"/> 
     2090      </or></bool> 
     2091       
     2092      <input addproperty="https.other.domains">Enter a comma separated list of additional domains besides tomcat.server=${tomcat.server} that you registered on issuance, if any</input> 
     2093      <condition property="https.cert.domains" value="${tomcat.server},${https.other.domains}" else="${tomcat.server}"> 
     2094    <and> 
     2095      <isset property="https.other.domains" /> 
     2096      <not><matches string="${https.other.domains}" pattern="^\s*$"/></not> 
     2097    </and> 
     2098      </condition> 
     2099      <if><bool><istrue value="${current.os.iswindows}"/></bool> 
     2100    <antcall target="setup-https-cert-windows"> 
     2101      <param name="https.cert.renewal" value="--renew 10"/>          
     2102    </antcall> 
     2103    <else> 
     2104      <antcall target="setup-https-cert-mac"> 
     2105        <param name="https.cert.renewal" value="--renew 10"/>            
     2106      </antcall> 
     2107    </else> 
     2108      </if> 
     2109    </if> 
    19832110  </target> 
    19842111 
     
    22522379    see http://ant-contrib.sourceforge.net/tasks/tasks/osfamily.html --> 
    22532380 
    2254     <exec executable="${catalina.home}/bin/startup.sh" os="${os.unix}" dir="${catalina.home}/bin" spawn="false"> 
     2381    <!--<exec executable="${catalina.home}/bin/startup.sh" os="${os.unix}" dir="${catalina.home}/bin" spawn="false">--> 
     2382    <exec executable="${sudo.or.not}" os="${os.unix}" dir="${catalina.home}/bin" spawn="false"> 
    22552383      <!--<env key="GSDLOS" value="linux"/> do we need this?? --> 
    22562384      <env key="GSDL3HOME" value="${basedir}"/> 
     
    22632391      <env key="WNHOME" path="${wn.home}"/> 
    22642392      <env key="FEDORA_HOME" path="${fedora.home}"/> 
     2393      <arg value="${catalina.home}/bin/startup.sh"/> 
    22652394    </exec> 
    22662395    <exec executable="${catalina.home}/bin/startup.bat" osfamily="windows" dir="${catalina.home}/bin" spawn="true"> 
     
    23092438       stopped as happens when stop-tomcat is called consecutively. --> 
    23102439  <target name="force-stop-tomcat" description="Shutdown only Tomcat" depends="init" if="tomcat.islocal"> 
    2311     <exec executable="${catalina.home}/bin/shutdown.sh" os="${os.unix}" dir="${catalina.home}/bin" spawn="false"> 
     2440    <!--<exec executable="${catalina.home}/bin/shutdown.sh" os="${os.unix}" dir="${catalina.home}/bin" spawn="false">--> 
     2441    <exec executable="${sudo.or.not}" os="${os.unix}" dir="${catalina.home}/bin" spawn="false"> 
    23122442      <env key="FEDORA_HOME" path="${fedora.home}"/> 
    23132443      <env key="CATALINA_HOME" value="${catalina.home}"/> 
     2444      <arg value="${catalina.home}/bin/shutdown.sh"/> 
    23142445      <arg line=">/dev/null 2>&amp;1"/> 
    23152446    </exec>