So I have created a few JRDC2 apps. I put them on a VPS as live demo. It is running on Ubuntu 18.04 64 bit. Today I wanted to make the app more secure by enabling SSL certificate. I have chosen to use Let's Encrypt. There are many tutorials here but I am confused with the steps. Especially for people who are not familiar with Linux path and commands.
The steps explained in http://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Generating_Keys_and_Certificates_with_JDK_keytool (updated link: Generating Key Pairs and Certificates) is confusing and I have read many times tried to understand which parts are required. After spending a few hours, I have finally able to put all the puzzles together.
To summarize what I have learned,
I can enable SSL (or https in the URL) in my app without purchasing an SSL certificate (since my app is for demo/testing purpose and not considered critical). Let's Encrypt is a popular choice. I found it is easy to install on Ubuntu. Once installed, my website is now SSL enabled (served by Apache on port 80).
The steps explained in http://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Generating_Keys_and_Certificates_with_JDK_keytool (updated link: Generating Key Pairs and Certificates) is confusing and I have read many times tried to understand which parts are required. After spending a few hours, I have finally able to put all the puzzles together.
To summarize what I have learned,
I can enable SSL (or https in the URL) in my app without purchasing an SSL certificate (since my app is for demo/testing purpose and not considered critical). Let's Encrypt is a popular choice. I found it is easy to install on Ubuntu. Once installed, my website is now SSL enabled (served by Apache on port 80).
#1 How to: Install Let's Encrypt on Ubuntu Linux VPS to Create SSL Certificates
Downloading and Installing Let's Encrypt
1. Update the server's packages
Bash:
apt-get update & sudo apt-get upgrade
Bash:
apt-get install git
Bash:
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
Bash:
cd /opt/letsencrypt
1. Run Let's Encrypt (api.puterise.com is my domain)*
Bash:
./letsencrypt-auto certonly --standalone -d api.puterise.com
3. Agree to the Terms of Service
4. If everything worked properly, you should receive a message similar to the following
IMPORTANT NOTES:
- If you lose your account credentials, you can recover them through e-mails sent to [email protected].
- Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/api.puterise.com/fullchain.pem. Your cert will expire on 2021-01-31. To obtain a new version of the certificate in the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Let's Encrypt, so making regular backups of this folder is ideal.
- If you like Let's Encrypt, please consider supporting our work by
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Now, to make it work on B4J JRDC2 app:
#2 How to use Letsencrypt certificate & private key with Jetty (xkr47/letsencrypt-jetty.sh)
Bash:
root@computer:/etc/letsencrypt/live/api.puterise.com# openssl pkcs12 -export -out keystore.pkcs12 -in fullchain.pem -inkey privkey.pem
Bash:
root@computer:/etc/letsencrypt/live/api.puterise.com# keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks
Bash:
root@computer:/etc/letsencrypt/live/api.puterise.com# rm keystore.pkcs12
Now I can use the keystore file in B4J server code.
B4X:
ssl.SetKeyStorePath("/etc/letsencrypt/live/api.puterise.com", "keystore.jks") 'path to keystore file
Conclusion:
The above steps explained how I can enable SSL in hosted VPS server with certificates already generated by Let's Encrypt.
For local development machine, it is easier to follow the steps to generate the keystore file from Generating Key Pairs and Certificates.
B4X:
#If RELEASE
ssl.SetKeyStorePath("/etc/letsencrypt/live/api.puterise.com", "keystore.jks") 'path to keystore file
#Else
ssl.SetKeyStorePath("C:\SSL", "jetty.keystore") 'path to keystore file
#End If