B4J Question VPS ssl on port 8000 for a b4j webserver

[yfleury]

Because this subject was beginning here
https://www.b4x.com/android/forum/threads/vps-jar-error.147321/
But there is not the right subject and to be confusing, so now it's was right place.

I have a VPS server and a b4j webserver running port 8000
On my local computer, I create a keystore and upload it on vps.
Now I can acces to my b4j webserver on vps by https on port 8000. But I receive a warning the browser will not trust the certificate

On VPS I use Let's Encrypt on port 443 and port 80 is redirect to https (443)
So I can download .pem file
I can have acces to

CSR​

like this

-----BEGIN CERTIFICATE REQUEST-----
MIICqDCCAZACAQAwHDEa
....
....
auJxKwzQyE+4xhHWyQotdN2QmnPtmcyZfdaSq8NwREK5baJeE3/rbyrb0WNQ9nad
lD2/ugslDfJtLYPI
-----END CERTIFICATE REQUEST-----

Private key (*.key)​

Certificate (*.crt)​

CA certificate (*-ca.crt)​

Then now I am stuck here. Can I do something with keystore and theses informations (Let's Encrypt things)?
What is next?

 

[jahswant]

The certificate is expiring on the 13/04/2023 you should renew it.

 

[yfleury]

The certificate is expiring on the 13/04/2023 you should renew it.

Is not expiring date it's the current date. It's expire 11 july

 

[jahswant]

Ohhhh sorry.

 

[aaronk]

[Server] Using Let's Encrypt on Ubuntu VPS

#1 How to: Install Let's Encrypt on Ubuntu Linux VPS to Create SSL Certificates Downloading and Installing Let's Encrypt 1. Update the server's packages apt-get update & sudo apt-get upgrade 2. Install the GIT package apt-get install git 3. Download a clone of Let's Encrypt from the GitHub...

www.b4x.com

 

[Magma]

...Hmmm you mean created custom/hand-made certificate at your local pc - to use it... and you receive that is not trusted... That is the right thing to be not trusted...

If you create a let's encrypt... and use it in "keystore" will be trusted.. (i think - because lately i use only mqtt that use the same certificates as apache)

You can use the let's encrypt at b4j server... read some of these:

Tutorial - Java KeyStores (JKS) With Let's Encrypt

Add certificates to KeyStore and Verify The key to adding the certs is associating them with the keys Commands: keytool -importcert -alias simple-cert -keystore letsencrypt.jks -storepass test12345 -file .\jks-simple-cert-with-chain.cer keytool -importcert -alias san-cert -keystore...

community.letsencrypt.org

 

[yfleury]

[Server] Using Let's Encrypt on Ubuntu VPS

#1 How to: Install Let's Encrypt on Ubuntu Linux VPS to Create SSL Certificates Downloading and Installing Let's Encrypt 1. Update the server's packages apt-get update & sudo apt-get upgrade 2. Install the GIT package apt-get install git 3. Download a clone of Let's Encrypt from the GitHub...

www.b4x.com

I have this error

Skipping bootstrap because certbot-auto is deprecated on this system.
Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.
Please visit https://certbot.eff.org/ to check for other alternatives.

I update, upgrate vps and install certbot, still same error

 

[Magma]

That error you take... seems like is outdated-eol os... perhaps old Debian... 8. Or.9... better have newer version of Debian... 11

 

[yfleury]

my vps is debian 10

 

[Magma]

my vps is debian 10

Hmm.. not so old...

 

[Magma]

Certbot Instructions

Tagline

certbot.eff.org

 

[Magma]

Letsencrypt on Debian 10 – switching to new ‘snap’ based Certbot – William Turrell

 

[yfleury]

Thanks @Magma , I will look on that.

I ask to ChatGPT this

User: I have access to the CSR file, Private key (.key), Certificate (.crt), CA certificate (*-ca.crt), how can I use them with the keystore?

AI: To use these files with the keystore, you will need to import them into the keystore using the keytool command. First, import the private key and certificate into a PKCS12 keystore using the following command:

rustCopy code
keytool -importkeystore -srckeystore your_private_key.key -srcstoretype PKCS8 -destkeystore your_keystore.p12 -deststoretype PKCS12 -alias your_alias_name

You will need to provide the password for your private key and choose a new password for the PKCS12 keystore. Next, import the CA certificate into the keystore using the following command:

bashCopy code
keytool -importcert -keystore your_keystore.jks -file your_ca_certificate.crt -alias your_ca_alias_name

Finally, you can import the certificate chain into the keystore using the following command:

bashCopy code
keytool -importcert -keystore your_keystore.jks -file your_certificate.crt -alias your_alias_name -trustcacerts

You will need to provide the password for the keystore and choose a new alias name for the certificate chain.

Not try but I am not sur is good

 

[nbarakat]

This is how I do it on Ubuntu to renew my certificate:

rm jetty.keystore
# convert certificate chain + private key to the PKCS#12 file format
openssl pkcs12 -export -out keystore.pkcs12 -in YOURPATHTOfullchain.pem -inkey YOURPATHTOprivkey.pem -name jetty -passout YOURKEYSTOREPASSWORD (Which you will use in B4J)

# convert PKCS#12 file into Java keystore format
keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore jetty.keystore -storepass THEPASSWORDINABOVESTATEMENT -srcstorepass THEPASSWORDINABOVESTATEMENT

# don't need the PKCS#12 file anymore
rm keystore.pkcs12

Note: YOURPATHTO This is usually /etc/letsencrypt/live/yourdomain

You need to repeat the process every time you renew your letsencrypt cert.
Then you would need to restart your B4J server app.

Hope this works for you.

 

[yfleury]

root@vps-7a1ecfb2:/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca# ls
cert.pem  chain.pem  fullchain.pem  privkey.pem  README
root@vps-7a1ecfb2:/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca# openssl pkcs12 -export -out keystore.pkcs12 -in /opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca/fullchain.pem -inkey /opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca/privkey.pem -name jetty -passout 236541
Invalid password argument "236541"
Error getting passwords

It' so difficult and painfull, I am about to do my huge app in php just to have a certificate run on app.

 

[nbarakat]

root@vps-7a1ecfb2:/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca# ls
cert.pem  chain.pem  fullchain.pem  privkey.pem  README
root@vps-7a1ecfb2:/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca# openssl pkcs12 -export -out keystore.pkcs12 -in /opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca/fullchain.pem -inkey /opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca/privkey.pem -name jetty -passout 236541
Invalid password argument "236541"
Error getting passwords

It' so difficult and painfull, I am about to do my huge app in php just to have a certificate run on app.

The first time is always difficult. But its probably my mistake...

/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca# openssl pkcs12 -export -out keystore.pkcs12 -in /opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca/fullchain.pem -inkey /opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca/privkey.pem -name jetty -passout pass:236541

Forgot to add the pass: to the password.
Hope it works this time.

 

[aeric]

-passout 236541

Maybe you can omit this parameter and then input the password when it prompts you on next line.

 

[yfleury]

root@vps-7a1ecfb2:/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca# openssl pkcs12 -export -out keystore.pkcs12 -in /opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca/fullchain.pem -inkey /opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca/privkey.pem -name jetty -passout pass:236541
root@vps-7a1ecfb2:/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca# ls
cert.pem chain.pem fullchain.pem keystore.pkcs12 privkey.pem README
root@vps-7a1ecfb2:/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca# keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore jetty.keystore -storepass 236541 -srcstorepass 236541
Importing keystore keystore.pkcs12 to jetty.keystore...
Entry for alias jetty successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
root@vps-7a1ecfb2:/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca# ls
cert.pem chain.pem fullchain.pem jetty.keystore keystore.pkcs12 privkey.pem README
root@vps-7a1ecfb2:/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca# rm jeystore.pkcs12
rm: cannot remove 'jeystore.pkcs12': No such file or directory
root@vps-7a1ecfb2:/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca# ls
cert.pem chain.pem fullchain.pem jetty.keystore keystore.pkcs12 privkey.pem README
root@vps-7a1ecfb2:/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca#

Now I need to move jetty.keystore to the folder of my .jar file?

 

[nbarakat]

No need. You can configure the path in B4J.

Sub setSSL(sslPort As Int)
    Dim KeyStoreDir As String = "/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca" ' The directory of the SSL keystore.
    Dim KeyStoreFile As String = "jetty.keystore" ' The SSL keystore filename.
    Dim KeyStorePassword As String = "236541" ' The SSL keystore password.
    Dim ssl As SslConfiguration
    ssl.Initialize ' Initializes the SSL configuration.
    ssl.SetKeyStorePath(KeyStoreDir, KeyStoreFile) ' Sets the path to the SSL keystore.
    ssl.KeyStorePassword = KeyStorePassword ' Sets the password for the SSL keystore.
    srvr.SetSslConfiguration(ssl, sslPort) ' Sets the SSL configuration for the web server and the SSL port.
End Sub

You can latter put the parameters in a configuration file and read then at startup.

You can rm keystore.pkcs12

 

[aeric]

Now I need to move jetty.keystore to the folder of my .jar file?

No. You don't need to move the keystore file. It can be used/shared by more than one B4J server apps.