Changeset 32477 for main/trunk


Ignore:
Timestamp:
2018-09-21T19:08:14+12:00 (6 years ago)
Author:
ak19
Message:

HTTPS certification on windows: Using openSSL for generating the account and domain keys, rather than letting zeroSSL do this for us.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • main/trunk/greenstone3/build.xml

    r32465 r32477  
    16461646               NOTE TO OBTAINING A TLS (SSL) CERTIFICATE FOR HTTPS
    16471647      *********************************************************************
    1648       A certificate is needed for your GS server to serve pages over https.
     1648      A signed certificate is needed for your GS server to serve pages over https.
    16491649      This target will attempt to obtain a certificate for you from the official and free Certificate Authority Let's Encrypt.
    1650       However, a certificate can only be obtained if you have sudo permissions on this machine that you're installing Greenstone on.
     1650      However, a certificate can only be obtained if you have admin/sudo permissions on this machine that you're installing Greenstone on.
    16511651
    16521652      Note that:
     
    17271727    <mkdir dir="${packages.home}/tomcat/webapps/ROOT/.well-known/acme-challenge"/>
    17281728    <mkdir dir="${packages.home}/tomcat/conf/https_cert"/>
     1729 
     1730    <!--
     1731        For Windows, Greenstone can generate the account and domain keys with the openSSL we compiled up ourselves
     1732        and put on SVN (at GS3/bin/windows/openssl) rather than let ZeroSSL generate these keys for the user.
     1733        Letting Greenstone generate the keys may be considered more trustworthy by the user than letting a 3rd
     1734        party do so. See https://zerossl.com/usage.html#First_time_run_and_regular_use for OpenSSL commands
     1735        If we don't generate the keys ourselves with our OpenSSL, then ZeroSSL will do so automatically in the
     1736        call to le64/32.exe further below, as it's passed in the flag generate-missing.
     1737    -->
     1738    <!-- We generate the account key named "privkey.key" in ${packages.home}\tomcat\conf\https_cert -->
     1739    <exec executable="cmd" osfamily="windows" dir="${basedir}/bin/${os.bin.dir}/openssl/bin" spawn="false">
     1740      <arg value="/c" />
     1741      <arg value="openssl.exe" />
     1742      <arg value="genrsa" />
     1743      <arg value="-out" /><arg value="${packages.home}\tomcat\conf\https_cert\privkey.key" /><arg value="4096" />
     1744    </exec>
     1745 
     1746    <!-- Also generate the domain key (for csr-key parameter to zeroSSL's le.exe)
     1747        ${packages.home}\tomcat\conf\https_cert\${tomcat.server}.key
     1748        Using 2048 instead of 4096 bits for this. See https://zerossl.com/usage.html#First_time_run_and_regular_use
     1749    -->
     1750    <exec executable="cmd" osfamily="windows" dir="${basedir}/bin/${os.bin.dir}/openssl/bin" spawn="false">
     1751      <arg value="/c" />
     1752      <arg value="openssl.exe" />
     1753      <arg value="genrsa" />
     1754      <arg value="-out" /><arg value="${packages.home}\tomcat\conf\https_cert\${tomcat.server}.key" /><arg value="2048" />
     1755    </exec>
    17291756 
    17301757    <!-- stop the included tomcat (also stopping derby and solr) -->
Note: See TracChangeset for help on using the changeset viewer.