Back

Creating a multi domain letsencrypt cert for dotcms on AWS Linux

Description

The script below outlines how to generate and use a letsencrypt cert with dotCMS running from tomcat on AWS linux

Code

# Creating a multi domain letsencrypt cert for dotcms on AWS Linux
# Assumes dotCMS ROOT is running under /op/dotcms/dotserver/tomcat-8.0.18/webapps/ROOT

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
sudo yum install python26-virtualenv.noarch

cd /op/dotcms/dotserver/tomcat-8.0.18/webapps/ROOT
sudo ./certbot-auto --debug -v  certonly  -d www.dotcms.com -d test.dotcms.com -d demo.dotcms.com -d auth.dotcms.com

# at this point, certs in .pem form will be saved under: /etc/letsencrypt/live/www.dotcms.com/fullchain.pem

cd /etc/letsencrypt/live/www.dotcms.com/

# The next step is to use openssl and java's keytool that comes with the jdk to convert the .pem formated certs to java jks format
# the keytool was not in my path so I had to hunt for it in JAVA_HOME and add it to my path

sudo ln -s /usr/lib/jvm/jre-1.8.0-openjdk.x86_64/bin/keytool /usr/bin/

# then convert the pem to an intermediate pkcs12
sudo openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert_and_key.p12 -name tomcat -CAfile chain.pem -caname root

# then from that to a java .jks
sudo keytool -importkeystore -deststorepass PASSWORD -destkeypass PASSWORD -destkeystore MyDSKeyStore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -srcstorepass PASSWORD -alias tomcat

# add the CA chain
sudo keytool -import -trustcacerts -alias root -file chain.pem -keystore MyDSKeyStore.jks


#After that you can add the SSL connector to your tomcat/conf/server.xml

<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
	 This connector uses the NIO implementation that requires the JSSE
	 style configuration. When using the APR/native implementation, the
	 OpenSSL style configuration is required as described in the APR/native
	 documentation -->
-->
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/etc/letsencrypt/live/www.dotcms.com/MyDSKeyStore.jks" keystorePass="PASSWORD" keyAlias="tomcat" keyPass="PASSWORD" 
clientAuth="false" sslProtocol="TLS" />