B4J Question Going SSL - simple questions

udg

Expert
Licensed User
Hi all,
some time ago I successfully activated a Let's Encrypt certificate on my low-cost VPS machine in order to satisfy requirements by Mosquitto MQTT.
Now, I'd like to use that same certificate to activate https service for a couple of jServer-based apps.
All the steps to do it are clear, but there are a few questions regarding what follows a successful installation and activation.

1. Should I necessarily define two ports (one for http and one for https) even if I plan to use the filter redirect option in order to allow connection to my service only through the SSL protocol?

2. Once the Let's Encrypt certificate needs a renew (approximately every 90 days) should I go through all the setting up process again? Ok, it's just a couple of minutes more, but it is due (I guess so)?

3. In the event that the setup step is to be repeated at each certificate renewal, should I restart the JServer-based service in order to let it load the new keystore?

TIA
 

alwaysbusy

Expert
Licensed User
2. I use LetsEncrypt, and I only have to redo these two (given that you do it within 90 days):

B4X:
sudo ./certbot-auto renew
sudo openssl pkcs12 -export -out keystore.pkcs12 -in /etc/letsencrypt/live/yoursite.com/fullchain.pem -inkey /etc/letsencrypt/live/yoursite.com/privkey.pem
 

udg

Expert
Licensed User
Hi Alain, thank you.
Don't you need to follow the openssl command with
B4X:
sudo keytool -importkeystore -srckeystore keystore.pkcs12.....
too? And the server doesn't need to be restarted? This last point let me think that the jetty component checks the keystore at each request rather than at its start and, frankly, it seems a bit strange.
Anyway, since you're talking by direct hands-on experience I believe that things are just like you describe them (which is good for me..less work to do..ehehe).
Thank you again
 

alwaysbusy

Expert
Licensed User
Don't you need to follow the openssl command with
No, I think the certbot-auto renew does take care of this (provided you do it withing 90 days).

And the server doesn't need to be restarted?
Yes, I do have to restart my .jar

My full command-list I do every 90 days is this (I have to stop the haproxy because LetsEncrypt must be able to access the www folder and not be redirected to my jetty app)

B4X:
sudo systemctl stop haproxy.service
cd certbot-auto
sudo ./certbot-auto renew
sudo openssl pkcs12 -export -out keystore.pkcs12 -in /etc/letsencrypt/live/yoursite.com/fullchain.pem -inkey /etc/letsencrypt/live/yoursite.com/privkey.pem
sudo systemctl start haproxy.service
 
Top