B4J Question [Solved] [ABMaterial] - using https (secure)

[Harris]

myApp.StartServerHTTP2(srvr, "srvr", port, 443,"keystore","b12xxxxx","b12xxxxx" ) ' port = 51046
Is this correct?


I purchased SSL cert from SSLs.com (namecheap)...

I had my VPS provider setup the certs on my VPS.
I created a keystore (named keystore) according to this command - and answering questions...

keytool -keystore keystore -alias jetty -genkey -keyalg RSA

Updated server with new jar and rebooted. The jar did start on the server, however
now I can't run the app in my browser.

 

[Harris]

Are you using java 8 or 9?

Upgraded my server to openjdk 11 (headless). That was the only option I had.

 

[XbNnX_507]

Upgrade my server to openjdk 11 (headless). That was the only option I had.

Ok, then i suppose you are using java 9 or openjdk 11 in your development machine b4j...
if so then you only need to generate the keystore and use it.
How are you generating the keystore?

 

[Harris]

How are you generating the keystore?

Explained previously in this thread... Then updated with help on a PM.

keytool -import -trustcacerts -alias root -file xxx.ca-bundle -keystore jetty.keystore

keytool -import -trustcacerts -alias jetty -file yyy.crt -keystore jetty.keystore

 

[XbNnX_507]

What says the logs B4J when you start the server?

 

[Harris]

What says the logs B4J when you start the server?

Before we go down this path, let me use your suggestion ( explorer - yet to see if it helps - if any or at all).

I have sprinkled Log() statements, and they say nothing out of the ordinary - when the app runs (which it doesn't since non-secure).
I posted previously an error in the logs - which makes absolutely no sense to me - since I can't see where it originated (waas not from a log() or lastexception message..

 

[MichalK73]

I had a problem with SSL on VPS on ABMaterial.
I did this:
1. I have generated my certifications according to https://www.b4x.com/android/forum/threads/server-ssl-connections.40130/#content
2. I used JAVA9 and the same versions on the VPS server for compilation.
3. I cached the certificate to the ABMaterial server and locally as well as online at VPS I had an unauthorized certificate. (port 433)
4. I have a free account on cloudflare.com, I slept there and I settled IP VPS. I turned on the proxy cloundflare and forced HTTPS with CF certificate.
5. The server now runs on trusted SSL CF. It loads very quickly through the proxy CF cache. I did not pay for SSL and ran several servers this way. In addition, we have hidden our IP VPS and secured server against DOS.

Maybe someone will use it.

 

[Harris]

Maybe we are getting somewhere?
Finally got this from SSLs.com after explaining (twice) what the issue was...
Apache SSL worked (always did). JAVA - Jetty did not... AND I needed a private key and a keystore...

If this doesn't work, I am returning the product (15 day money back) and going with the free (working) solutions...

Wish me luck!


Support via mtu5osii45tlgw7x.zcbjc.1n-2ljihuac.na78.bnc.salesforce.com
2:45 PM (3 hours ago)

to me

Hi,
Thank you for writing to us.
If that is the case, you can export the certificate as PFX file from the Apache server and then convert the PFX file to JKS (Java Keystore) and configure Java (Jetty) server.
In order to export the Certificate, Private Key and any intermediate certificate as a pfx file from the Apache server, use the command below:

- > openssl pkcs12 -export -in my.crt -inkey my.key -certfile my.bundle -out my.pfx

Note: Remember to change the names to match your file names!. And the PFX is a combination of both certificate (public) and private key.

After exporting the certificate as PFX file from Apache server, you can convert them as JKS (Java Keystore) and configure it on the new server.
https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000zFTb
Please let us know if you need any further support.

Regards,
Sectigo - Technical Support

 

[Harris]

With MANY Thanks to @OliverA , this issue has been resolved. I now have SSL on my VPS.
It was quite the process...

I shall provide a tutorial for everyone (mostly me - for the next time) to see how to accomplish this task.

Thanks to all for your input.

 

[Cableguy]

With MANY Thanks to @OliverA , this issue has been resolved. I now have SSL on my VPS.
It was quite the process...

I shall provide a tutorial for everyone (mostly me - for the next time) to see how to accomplish this task.

Thanks to all for your input.

I will be one of those who will surely forget someone else (you) have gone through all this trouble, and will spend over a week and over 60 posts to get is done... And then find you post!

 

[Jmu5667]

With MANY Thanks to @OliverA , this issue has been resolved. I now have SSL on my VPS.
It was quite the process...

I shall provide a tutorial for everyone (mostly me - for the next time) to see how to accomplish this task.

Thanks to all for your input.

Did you ever do the tutorial ? I am currently trying to get it working(Windows), Using OpenJDK 11 and ABM with a keystore file.

 

[Harris]

Did you ever do the tutorial ? I am currently trying to get it working(Windows), Using OpenJDK 11 and ABM with a keystore file.

I started and got lost within the documenting process. Like I stated, it was a complex endeavour.

However, I managed to get Let's Encrypt running, much easier following the tut's available here. The issue with it was it's short running time before renewal.
When I tried to renew it, it would always fail. It seems so simple, but I don't get it...

 

[Jmu5667]

I started and got lost within the documenting process. Like I stated, it was a complex endeavour.

However, I managed to get Let's Encrypt running, much easier following the tut's available here. The issue with it was it's short running time before renewal.
When I tried to renew it, it would always fail. It seems so simple, but I don't get it...

Thanks for the reply, as usual @OliverA came to the rescue. It's the renewal thing is a pain ,,,

 

[Harris]

Thanks for the reply, as usual @OliverA came to the rescue. It's the renewal thing is a pain ,,,

If you get the renewal thing resolved, pls let me know. My SSL is on Linux.

 

[Jmu5667]

If you get the renewal thing resolved, pls let me know. My SSL is on Linux.

Will do !

 

[alwaysbusy]

This looks like a good tutorial: https://www.b4x.com/android/forum/threads/server-using-lets-encrypt-on-ubuntu-vps.124059/

It is indeed the renew part that is annoying. In short, this is what I did when I used to do it myself (we now use an external company to manage our servers):

The tricky part is using apache on the linux to receive your letsencrypt key files for your domain (it needs port 80/443) and NO B4J webapps running. You then receive 2 .pem files that you have to convert to a keystore file. I used https://www.dynu.com to register my domain and it had a DNS A-Record and Web Redirect to my home server's IP address.

1. install certbot

sudo apt-get install certbot

If you are running haproxy, make sure you disable it to:

sudo systemctl stop haproxy.service

2. get your .pem keys:

sudo ./certbot-auto --debug -v --server https://acme-v01.api.letsencrypt.org/directory certonly -d mydomain.com

3. Pick option 3 (use a file)

4. Enter the full path to your apache www root (in my case it was)

/var/www/html

Now a file will be created there and Letsectrypt must be able to download this file to verify this domain belongs to you.

5. You receive something like this if successful:

- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mydomain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mydomain.com/privkey.pem
Your cert will expire on 2018-02-07. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"

6. Make a pkcs12 file

sudo openssl pkcs12 -export -out keystore.pkcs12 -in /etc/letsencrypt/live/mydomain.com/fullchain.pem -inkey /etc/letsencrypt/live/mydomain.com/privkey.pem

7. Finally convert it to a keystore file

sudo keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks

You can now also restart haproxy (if needed)

sudo systemctl start haproxy.service

8. And start your B4J Server

Renew:

Stop your B4J Server

sudo systemctl stop haproxy.service
cd certbot-auto
sudo ./certbot-auto renew
sudo openssl pkcs12 -export -out keystore.pkcs12 -in /etc/letsencrypt/live/mydomain.com/fullchain.pem -inkey /etc/letsencrypt/live/mydomain.com/privkey.pem
sudo keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks
sudo systemctl start haproxy.service

Start your B4J Server

I always wanted to look into the Let's Encrypt alternative https://zerossl.com/, as it seems to have the possibility to use a REST API (zerossl itself is also free, but the use of the REST API is paying unfortunately).

Alwaysbusy

 

[Harris]

Yep, familiar with this tut you directed us to.

Installing was not an issue... updating was - when expired...
Seems this is THE problem with FREE ssl certs (Let's Encrypt)... Manual updating - when you discover it HAS expired.

Why there is not an automatic renewal for LE, I don't understand? I paid for an other SSL that was a pain to install - but would never expire...
I would pay for that (LE - auto renew - without me going insane).

I know this is not your issue to resolve.
@OliverA is the mastermind in this regard - but us mere mortals have much trouble comprehending - and repeating / renewal.

We shall overcome - lament....

The real problem is that these SSL folks/providers DID NOT use B4X to build their product(s).
If they had, no one would have any problem with any Java implementation (in my simple mind).

Hey @Erel , build one and I shall subscribe and pay....
Thanks

 

[alwaysbusy]

I guess a cron job should do the trick so it renews before it has expired. If the renew part of my answer is in a mycertbot.sh file, something like this (untested):

#!/bin/sh
pkill -9 -f yourb4xjarname.jar

sudo systemctl stop haproxy.service
cd certbot-auto
sudo ./certbot-auto renew
sudo openssl pkcs12 -export -out keystore.pkcs12 -in /etc/letsencrypt/live/mydomain.com/fullchain.pem -inkey /etc/letsencrypt/live/mydomain.com/privkey.pem
sudo keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks
sudo systemctl start haproxy.service

nohup path_to_java/bin/java -jar yourb4xjarname.jar > nohup.out &

Make the script executable:

chmod +x /pathto/mycertbot.sh

This code will run on every weekend at 3.00 am.

* 3 * * 6 /pathto/mycertbot.sh

Alwaysbusy

 

[Jmu5667]

I guess a cron job should do the trick so it renews before it has expired. If the renew part of my answer is in a mycertbot.sh file, something like this (untested):

#!/bin/sh
pkill -9 -f yourb4xjarname.jar

sudo systemctl stop haproxy.service
cd certbot-auto
sudo ./certbot-auto renew
sudo openssl pkcs12 -export -out keystore.pkcs12 -in /etc/letsencrypt/live/mydomain.com/fullchain.pem -inkey /etc/letsencrypt/live/mydomain.com/privkey.pem
sudo keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks
sudo systemctl start haproxy.service

nohup path_to_java/bin/java -jar yourb4xjarname.jar > nohup.out &

Make the script executable:

chmod +x /pathto/mycertbot.sh

This code will run on every weekend at 3.00 am.

* 3 * * 6 /pathto/mycertbot.sh

Alwaysbusy

What would that look like under Windows?

 

[Jmu5667]

Yep, familiar with this tut you directed us to.

Installing was not an issue... updating was - when expired...
Seems this is THE problem with FREE ssl certs (Let's Encrypt)... Manual updating - when you discover it HAS expired.

Why there is not an automatic renewal for LE, I don't understand? I paid for an other SSL that was a pain to install - but would never expire...
I would pay for that (LE - auto renew - without me going insane).

I know this is not your issue to resolve.
@OliverA is the mastermind in this regard - but us mere mortals have much trouble comprehending - and repeating / renewal.

We shall overcome - lament....

The real problem is that these SSL folks/providers DID NOT use B4X to build their product(s).
If they had, no one would have any problem with any Java implementation (in my simple mind).

Hey @Erel , build one and I shall subscribe and pay....
Thanks

I would pay for a solution for this.

 

[alwaysbusy]

What would that look like under Windows?

No idea, never used a Webserver on Windows, always on Linux.

build one and I shall subscribe and pay

I think the major problem here is the certificate has to be build on your server and domain so I don't see how one could make a 'service' out of that (well, except hosting also your webapps but then we are back to square one).

Alwaysbusy