Install a Free SSL Certificate from Let's Encrypt in Thingworx

    I thought I would share how to install a valid signed certificate from a new Certifcate Authority called "Lets Encrypt" https://letsencrypt.org/

     

    Important note: Some hardware vendors who supply products that make use of the C SDK may have hard coded their firmware to only connect if you have installed an EV certificate. In that case "Lets Encrypt" certificates will not work and you will have to purchase an EV certificate from a trusted Signing Authority like digicert, symantec etc.  This may take a number of weeks and you should not expect it in less than a week as it requires a lot of administrative work to be performed.

     

    Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open.

     

    I have tested this on Ubuntu 14.04 LTS but I am sure you would be able to figure it out on other operating systems as well.

     

    Reference site: https://certbot.eff.org/#ubuntutrusty-other

    Reference site: https://melo.myds.me/wordpress/lets-encrypt-for-tomcat-7-on-ds/

     

    To install your certificate:

     

    First install and configure Java and Tomcat to the point where you would usually generate a self-signed certificate.

     

    ------Start----

    $ cd

    $ wget https://dl.eff.org/certbot-auto

    $ chmod a+x certbot-auto

    $ ./certbot-auto

    $ ./certbot-auto certonly --standalone -d example.mydomain.ext --email user@example.mydomain.ext

    $ cd /etc/letsencrypt/live/example.mydomain.ext/

    $ openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name tomcat

                ==== you will be asked for a password here, remember it! I will call it "mypassword" for the sake of this explanation.

     

    $ keytool -importkeystore -deststorepass mypassword -destkeypass mypassword -destkeystore MyDSKeyStore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass mypassword -alias tomcat

     

    $ sudo cp ./MyDSKeyStore.jks $CATALINA_HOME/conf/.keystore

    $ sudo chown root:tomcat8 $CATALINA_HOME/conf/.keystore

    $ sudo chmod 640 $CATALINA_HOME/conf/.keystore

     

    ------End---

     

     

    When you configure $CATALINA_HOME/conf/server.xml use the following for port 443:

     

    <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"

    maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="${user.home}/8.0.33/conf/.keystore" keystorePass="mypassword"

    clientAuth="false" sslProtocol="TLS" />

     

    To renew your certificate:

     

    Essentially you repeat the process above exactly as you did right in the beginning with only one minor difference.  When you run the command to generate the cert, it will offer you an option to renew the existing one.  The rest remains unchanged.  You also must remember to stop Tomcat before the procedure and then of course start it again.  If you do not you will get an error saying that the port is already in use.

     

    Go to where you downloaded the certbot-auto file and enter these commands:

     

    ------Start----

    $ sudo service tomcat8 stop

    $ ./certbot-auto certonly --standalone -d example.mydomain.ext --email user@example.mydomain.ext    SELECT OPTION 2 (to renew if it has not yet expired)

    $ cd /etc/letsencrypt/live/example.mydomain.ext/

    Please note: When renewing you need to use the same password used to generate the initial certificate. Check Tomcat server.xml if you can't remember.

    $ openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name tomcat

                ==== you will be asked for a password here, remember it! I will call it "mypassword" for the sake of this explanation.

     

    $ keytool -importkeystore -deststorepass mypassword -destkeypass mypassword -destkeystore MyDSKeyStore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass mypassword -alias tomcat (CONFIRM OVERWRITE)

     

    $ sudo cp ./MyDSKeyStore.jks $CATALINA_HOME/conf/.keystore

    $ sudo chown root:tomcat8 $CATALINA_HOME/conf/.keystore

    $ sudo chmod 640 $CATALINA_HOME/conf/.keystore

    $ sudo service tomcat8 start

     

    ------End---

     

    Use the same password with which you originally installed or alternatively update your Tomcat server.xml config

     

    If you want to test if your certificate is installed, you can do so from the command line by issuing the following:

    $ curl https://example.mydomain.ext/ --tlsv1.2 --verbose

     

     

    Notes:

    All items in GREEN should be modified to suit your environment / password policies.

    ----------------------------------------------------------------------------------------------------------------

    Message was edited by: Duan Gauché Correction: Incorrect: "When you configure $CATALINA_HOME/conf/context.xml use the following for port 443:" now corrected to: "When you configure $CATALINA_HOME/conf/server.xml use the following for port 443:"

    Message was edited by: Duan Gauché Added instructions to renew the certificates.

    Message was edited by: Duan Gauché - Added stop and start commands for Tomcat to avoid the socket in use error when renewing. - Thanks for the reminder Pascal

     

    This is very useful information. Thanks for sharing this!

     

    You are welcome!

     

    it works fine (I was losing hours with other tutorials; you save my life   !!)

     

    Always happy to save a life!

     

    Hello

     

    do you have a procedure to renew the certificate after 90 days ?

    I tried with "letsenscript renew" but it got this error:

     

    2017-01-15 07:53:28,164:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/myserver.conf produced an unexpected error: At least one of the (possibly) required ports is already taken.. Skipping.

     

    Thanks

     

    I should have included it in my original post, but here it is:

     

    Essentially you repeat the process above exactly as you did right in the beginning with only one minor difference.  When you run the command to generate the cert, it will offer you an option to renew the existing one.  The rest remains unchanged. You also must remember to stop Tomcat before the procedure and then of course start it again.  If you do not you will get an error saying that the port is already in use.

     

    Go to where you downloaded the certbot-auto file and enter these commands:

     

    $ sudo service tomcat8 stop

    $ ./certbot-auto certonly --standalone -d example.mydomain.ext --email user@example.mydomain.ext.    SELECT OPTION 2 (to renew)

    $ cd /etc/letsencrypt/live/example.mydomain.ext/

    $ openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name tomcat

                ==== you will be asked for a password here, remember it! I will call it "mypassword" for the sake of this explanation.

     

    $ keytool -importkeystore -deststorepass mypassword -destkeypass mypassword -destkeystore MyDSKeyStore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass mypassword -alias tomcat   CONFIRM OVERWRITE

     

    $ sudo cp ./MyDSKeyStore.jks $CATALINA_HOME/conf/.keystore.

    $ sudo chown root:tomcat8 $CATALINA_HOME/conf/.keystore

    $ sudo chmod 640 $CATALINA_HOME/conf/.keystore

    $ sudo service tomcat8 start

     

    Use the same password with which you originally installed or alternatively update your Tomcat server.xml config

     

    Thanks a lot

     

    It works fine

    just a precision to add (at least for me) :

     

    I have to stop first the service tomcat8 otherwhile I have the port 443 already in use when executing ./certbot-auto

     

    Pascal

     

    PS : I think that your procedure should be added in the Thingworx installation guide !!

     

    Thanks Pascal!

     

    I wanted to add the start/stop notes about Tomcat, but forgot.  Your post reminded me and I updated accordigly.

     

    I am sure we could automate the procedure for every 60 days with a script and cron, but I don't have time to figure it out now.  Maybe later.

     

    Yes, I'll also automate iit with a script in a crontab, as I have 5 servers to manage with letsencript certificates.

    Fortunately the other one are simpler than with Thingworx/tomcat  (for apache, just "letsenscript renew")

     

    There are many examples on the web to test the validity and to renew before expiration , I'll adapt

     

    Pascal

     

    Please note: When renewing your certificate, you need to use the same password used to generate the initial certificate. Check Tomcat server.xml if you can't remember.

     

    I could install the SSL certificate for Tomcat by following your article. But after that, the remote device can't connect to the server (using C SDK) with error:

    TW_VALIDATE_CERT: Certificate rejected.  Code: 20, Reason = unable to get local issuer certificate

    twTlsClient_Connect: Error intializing TLS connection.  Invalid certificate

    Do you have any clue about this problem ?

     

    I have heard of this once before from someone else.  I am sorry, I can't be of more assistance, but I believe you may need to update to the most recent version of the SDK.

     

    Please post back here if you figure it out.

     

    Disclaimer:  These are only suggestions to try and my best guesses.  Quite difficult to provide more accurate response with the information provided.

     

    I believe your issue may possibly be caused by the default configuration of the C SKD requires that your SSL certificate is a EV certificate (Extended Validation Certificate). More details on certificates here: https://en.wikipedia.org/wiki/Extended_Validation_Certificate

     

    You can try the following in your C SDK implementation: turn of validation by using: tls->validateCert = FALSE;

     

    Also as previously mentioned, make sure you are using a recent version of the SDK.


     

    Hello Duan,

     

    Thanks for sharing useful info. I want to ask question before try it. My thingworx works on windows os instance. If I follow below steps, is it ok for my scnerio?;

     

    1. I will generate certificate on Linux VM with your tutorial,

    2. I will copy certificate to Thingworx instance which is windows os,

    3. Restart Tomcat,

     

    Regards,

     

    This document was generated from the following discussion: Install a Free SSL Certificate from Let's Encrypt in Thingworx