Use Let's Encrypt wildcard HTTPS certificate tomcat

Others 2021-03-31 20:50:27 views: null

Reference article: https://www.cnblogs.com/wzlinux/p/11188454.html

Reference article https://blog.csdn.net/lyq8479/article/details/79022888

 

1.1. What is a wildcard certificate

Wildcard certificate, also called pan-domain name certificate, a wildcard certificate can protect the same-level subdomains of a domain name, making them all become https encrypted links, there is no need to configure a subdomain name and apply for a new certificate, and there is no restriction on subdomains. The number of domain names also makes it unnecessary to pay extra while adding subdomains at any time. For users with multiple subdomains, especially those with a large number of subdomains, it is cost-effective, which greatly saves a lot of time and money.

1.2 What is Let's Encrypt

A certificate is required when deploying an HTTPS website. The certificate is issued by a CA organization. Most traditional CA organizations charge a fee for issuing certificates, which is not conducive to promoting the use of the HTTPS protocol.

Let's Encrypt is also a CA organization, but this CA organization is free! ! ! This means that there is no charge for issuing a certificate.

Since Let's Encrypt is a non-profit organization and needs to control expenses, they did a very creative thing and designed an ACME protocol. The current version of the protocol is v1.

Then why create the ACME agreement? Traditional CA organizations manually accept certificate applications, certificate renewals, and certificate revocations, all of which are handled manually. The ACME protocol standardizes the process of certificate application, renewal, and revocation. As long as a client implements the functions of the protocol, the client can apply for a certificate from Let's Encrypt, which means that Let's Encrypt CA is completely automated.

Anyone can implement a client based on the ACME protocol. The official recommended client is Certbot.

For a list of official clients, please check https://letsencrypt.org/docs/client-options/.

Two, certificate application (certbot)

2.1. System determination

We are using the system created by the aws lightsail service, and the system is CentOS 7.

 

2.2. Tool installation

First add epel source to the system.

curl -o /etc/yum.repos.d/epel-7.repo https://mirrors.aliyun.com/repo/epel-7.repo

Install the certificate application tool Certbot.

yum install -y certbot

2.3, certificate application

hlvy.com is the domain name, such as www.baidu.com, you need to fill in baidu.com, it can match any xxx.baidu.com

certbot certonly  -d *.hlvy.com --manual \
--preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory
  • --manual interactive acquisition,
  • --preferred-challenges dns use DNS verification (pan-domain names can only use DNS verification), if you cancel this option, http form authentication (.well-known) will be used by default,
  • --server specifies the server address that supports acme-v02, the default is the address of acme-v01.

The application process is as follows. In order to ensure that the domain name is within your management authority, we need to do a TXT DNS resolution among us.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for wzlinux.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.wzlinux.com with the following value:

EFC5zDV4Yyz1DY6796qHlUCS-TBWQCuxj3Re_-kTiiI

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/hlvy.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/hlvy.com/privkey.pem
   Your cert will expire on 2019-09-04. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

We see that there is a DNS resolution requirement above, and I set it here in Alibaba Cloud. Don’t hit enter before pressing Enter to Continue

Configure the domain name in Alibaba Cloud first

EFC5zDV4Yyz1DY6796qHlUCS-TBWQCuxj3Re_-kTiiI This is the analysis path generated by copying the above

After the analysis is complete, we verify the analysis record on the server.

[root@ip-172-26-5-120 ~]# dig -t txt _acme-challenge.hlvy.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> -t txt _acme-challenge.hlvy.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47252
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.hlvy.com.INTXT

;; ANSWER SECTION:
_acme-challenge.hlvy.com. 58INTXT"EFC5zDV4Yyz1DY6796qHlUCS-TBWQCuxj3Re_-kTiiI"

;; Query time: 0 msec
;; SERVER: 172.26.0.2#53(172.26.0.2)
;; WHEN: Thu Jun 06 07:04:07 UTC 2019
;; MSG SIZE  rcvd: 112

2.4, certificate view

[root@ip-172-26-5-120 ~]# ll /etc/letsencrypt/live/hlvy.com/
total 4
lrwxrwxrwx. 1 root root  35 Jun  6 06:53 cert.pem -> ../../archive/hlvy.com/cert1.pem
lrwxrwxrwx. 1 root root  36 Jun  6 06:53 chain.pem -> ../../archive/hlvy.com/chain1.pem
lrwxrwxrwx. 1 root root  40 Jun  6 06:53 fullchain.pem -> ../../archive/hlvy.com/fullchain1.pem
lrwxrwxrwx. 1 root root  38 Jun  6 06:53 privkey.pem -> ../../archive/hlvy.com/privkey1.pem
-rw-r--r--. 1 root root 692 Jun  6 06:53 README

 

Tomcat7 configure Let's Encrypt free SSL certificate

As can be seen from the above figure (the prompt message for successful certificate acquisition), the obtained Let's Encrypt certificate is stored in the /etc/letsencrypt/live/hlvy.com/ directory, and there are 4 related certificate files:


cert.pem
chain.pem
fullchain.pem
privkey.pem


We need to use the following two certificate files: fullchain.pem and privkey.pem. Next, you also need to use the openssl and keytool tools under Linux to convert the SSL certificate from the .pem format to the .jks format supported by Tomcat.

# 导出.p12格式的证书
$ openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out hlvy_letsencrypt.p12 -name tomcat_letsencrypt

# 再将证书由.p12格式转换成.jks格式
$ keytool -importkeystore -deststorepass '123456' -destkeypass '123456' -destkeystore hlvy_letsencrypt.jks -srckeystore zyxx_letsencrypt.p12 -srcstoretype PKCS12 -srcstorepass '123456' -alias tomcat_letsencrypt


Note: When you execute the openssl command to export the .p12 format certificate, you will be asked to set the key. There are also three places to write the key when you execute the keytool command. The simplest way is to use the same key for all the places where the key is needed. Confuse.

 

After the above two steps, a new certificate hlvy_letsencrypt.jks is generated under the /etc/letsencrypt/live/hlvy.com/ directory. Next, modify the %tomcat%/conf/server.xml file and add two lines of configuration keystoreFile and keystorePass. Among them, keystoreFile points to the jks certificate file, and keystorePass is the key of the certificate. The key configuration after modification is as follows:


<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    keystoreFile="/home/test/hlvy_letsencrypt.jks"
    keystorePass="123456"
/>

Visit the project address to view the browser certificate like this

2.6、证书更新
可以使用指令certbot renew进行更新,添加一个定时任务。

[root@ip-172-26-5-120 ~]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/hlvy.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/hlvy.com/fullchain.pem expires on 2019-09-04 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
定时任务。

certbot renew 30 1 10 * * /usr/bin/certbot renew && systemctl reload nginx

 

Guess you like

Origin blog.csdn.net/qq_39313596/article/details/103120778
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com