To run our Ring app in production with a valid signed certificate, we need to do a few things.
- Generate the signed certificate/chain and private key by following steps 1-3 on Certbot here. The two files generated will be at
/etc/letsencrypt/live/mydomain.com/fullchain.pem
/etc/letsencrypt/live/mydomain.com/privkey.pem
- To install the certificate in a format that our server can understand, we need to add it to a Java keystore. But to do that, we first need to add it to a PKCS12 format keystore and then convert it. To add both the certificate/chain and private key, run the following command:
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/mydomain.com/fullchain.pem -inkey /etc/letsencrypt/live/mydomain.com/privkey.pem -name mydomain.com -out mystore-PKCS-12.p12
Then follow the prompts to create a password. Important: When it prompts you to enter a password, make sure not to leave it blank. Also, remember it because you will use the exact same password for your Java Keystore.
- Unfortunately, I'm not sure if there's a way to create an empty key store, so we'll create a new one with a key that we'll delete. Follow the prompts for creating a new password. Make sure that your created password is the same as the one from step 2.
keytool -genkey -alias delete.me -keyalg RSA -keystore MyKeyStore.jks -keysize 2048
keytool -delete -alias delete.me -keystore MyKeyStore.jks
- Then, to import
mystore-PKCS-12.p12
, run:
keytool -importkeystore -deststorepass %samepassword% -destkeystore MyKeyStore.jks -srckeystore mystore-PKCS-12.p12 -srcstoretype PKCS12
- Finally, be sure to reference the keystore and keystore password when running the server:
(run-jetty
app-handler
{:ssl? true
:ssl-port 443
:keystore path-to-keystore
:key-password keystore-password})
If you've realized that your passwords don't match
(i.e. java.security.UnrecoverableKeyException: Cannot recover key
),
follow the instructions here to change one of them.
I hope this helps anyone else trying to use Certbot's generated certificates.