1. *** New version of B4J is available ***
    B4J v7.8
    Dismiss Notice

B4J Question Going SSL - simple questions

Discussion in 'B4J Questions' started by udg, Apr 26, 2019.

  1. udg

    udg Expert Licensed User

    Hi all,
    some time ago I successfully activated a Let's Encrypt certificate on my low-cost VPS machine in order to satisfy requirements by Mosquitto MQTT.
    Now, I'd like to use that same certificate to activate https service for a couple of jServer-based apps.
    All the steps to do it are clear, but there are a few questions regarding what follows a successful installation and activation.

    1. Should I necessarily define two ports (one for http and one for https) even if I plan to use the filter redirect option in order to allow connection to my service only through the SSL protocol?

    2. Once the Let's Encrypt certificate needs a renew (approximately every 90 days) should I go through all the setting up process again? Ok, it's just a couple of minutes more, but it is due (I guess so)?

    3. In the event that the setup step is to be repeated at each certificate renewal, should I restart the JServer-based service in order to let it load the new keystore?

    TIA
     
  2. alwaysbusy

    alwaysbusy Expert Licensed User

    2. I use LetsEncrypt, and I only have to redo these two (given that you do it within 90 days):

    Code:
    sudo ./certbot-auto renew
    sudo openssl pkcs12 -export -out keystore.pkcs12 -
    in /etc/letsencrypt/live/yoursite.com/fullchain.pem -inkey /etc/letsencrypt/live/yoursite.com/privkey.pem
     
  3. udg

    udg Expert Licensed User

    Hi Alain, thank you.
    Don't you need to follow the openssl command with
    Code:
    sudo keytool -importkeystore -srckeystore keystore.pkcs12.....
    too? And the server doesn't need to be restarted? This last point let me think that the jetty component checks the keystore at each request rather than at its start and, frankly, it seems a bit strange.
    Anyway, since you're talking by direct hands-on experience I believe that things are just like you describe them (which is good for me..less work to do..ehehe).
    Thank you again
     
  4. alwaysbusy

    alwaysbusy Expert Licensed User

    No, I think the certbot-auto renew does take care of this (provided you do it withing 90 days).

    Yes, I do have to restart my .jar

    My full command-list I do every 90 days is this (I have to stop the haproxy because LetsEncrypt must be able to access the www folder and not be redirected to my jetty app)

    Code:
    sudo systemctl stop haproxy.service
    cd certbot-auto
    sudo ./certbot-auto renew
    sudo openssl pkcs12 -export -out keystore.pkcs12 -
    in /etc/letsencrypt/live/yoursite.com/fullchain.pem -inkey /etc/letsencrypt/live/yoursite.com/privkey.pem
    sudo systemctl start haproxy.service
     
    moster67, Cableguy, udg and 1 other person like this.
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice