13 Replies Latest reply on Nov 14, 2017 3:22 PM by duang RSS
    duang Apprentice

    Install a Free SSL Certificate from Let's Encrypt in Thingworx

    I thought I would share how to install a valid signed certificate from a new Certifcate Authority called "Lets Encrypt" https://letsencrypt.org/

     

    Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open.

     

    I have tested this on Ubuntu 14.04 LTS but I am sure you would be able to figure it out on other operating systems as well.

     

    Reference site: https://certbot.eff.org/#ubuntutrusty-other

    Reference site: https://melo.myds.me/wordpress/lets-encrypt-for-tomcat-7-on-ds/

     

    To install your certificate:

     

    First install and configure Java and Tomcat to the point where you would usually generate a self-signed certificate.

     

    ------Start----

    $ cd

    $ wget https://dl.eff.org/certbot-auto

    $ chmod a+x certbot-auto

    $ ./certbot-auto

    $ ./certbot-auto certonly --standalone -d example.mydomain.ext --email user@example.mydomain.ext

    $ cd /etc/letsencrypt/live/example.mydomain.ext/

    $ openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name tomcat

                ==== you will be asked for a password here, remember it! I will call it "mypassword" for the sake of this explanation.

     

    $ keytool -importkeystore -deststorepass mypassword -destkeypass mypassword -destkeystore MyDSKeyStore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass mypassword -alias tomcat

     

    $ sudo cp ./MyDSKeyStore.jks $CATALINA_HOME/conf/.keystore

    $ sudo chown root:tomcat8 $CATALINA_HOME/conf/.keystore

    $ sudo chmod 640 $CATALINA_HOME/conf/.keystore

     

    ------End---

     

     

    When you configure $CATALINA_HOME/conf/server.xml use the following for port 443:

     

    <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"

    maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="${user.home}/8.0.33/conf/.keystore" keystorePass="mypassword"

    clientAuth="false" sslProtocol="TLS" />

     

    To renew your certificate:

     

    Essentially you repeat the process above exactly as you did right in the beginning with only one minor difference.  When you run the command to generate the cert, it will offer you an option to renew the existing one.  The rest remains unchanged.  You also must remember to stop Tomcat before the procedure and then of course start it again.  If you do not you will get an error saying that the port is already in use.

     

    Go to where you downloaded the certbot-auto file and enter these commands:

     

    ------Start----

    $ sudo service tomcat8 stop

    $ ./certbot-auto certonly --standalone -d example.mydomain.ext --email user@example.mydomain.ext    SELECT OPTION 2 (to renew if it has not yet expired)

    $ cd /etc/letsencrypt/live/example.mydomain.ext/

    Please note: When renewing you need to use the same password used to generate the initial certificate. Check Tomcat server.xml if you can't remember.

    $ openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name tomcat

                ==== you will be asked for a password here, remember it! I will call it "mypassword" for the sake of this explanation.

     

    $ keytool -importkeystore -deststorepass mypassword -destkeypass mypassword -destkeystore MyDSKeyStore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass mypassword -alias tomcat (CONFIRM OVERWRITE)

     

    $ sudo cp ./MyDSKeyStore.jks $CATALINA_HOME/conf/.keystore

    $ sudo chown root:tomcat8 $CATALINA_HOME/conf/.keystore

    $ sudo chmod 640 $CATALINA_HOME/conf/.keystore

    $ sudo service tomcat8 start

     

    ------End---

     

    Use the same password with which you originally installed or alternatively update your Tomcat server.xml config

     

    If you want to test if your certificate is installed, you can do so from the command line by issuing the following:

    $ curl https://example.mydomain.ext/ --tlsv1.2 --verbose

     

     

    Notes:

    All items in GREEN should be modified to suit your environment / password policies.

    ----------------------------------------------------------------------------------------------------------------

    Message was edited by: Duan Gauché Correction: Incorrect: "When you configure $CATALINA_HOME/conf/context.xml use the following for port 443:" now corrected to: "When you configure $CATALINA_HOME/conf/server.xml use the following for port 443:"

    Message was edited by: Duan Gauché Added instructions to renew the certificates.

    Message was edited by: Duan Gauché - Added stop and start commands for Tomcat to avoid the socket in use error when renewing. - Thanks for the reminder Pascal