Created
March 23, 2021 02:57
-
-
Save goyuninfo/27d0e92a8f2003a14b0aaf14a7ee96cd to your computer and use it in GitHub Desktop.
Verified it works. credit: https://community.letsencrypt.org/t/importing-letsencrypt-into-java-and-glassfish/9711/18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| #Alias of the certificate | |
| echo 'Please enter the alias of the certificate: e.g. (shortwebname)' | |
| read NAME | |
| #The current domain registered in letsencrypt such as www.mydomain.com | |
| echo 'Please enter the domain name: e.g. (www.mydomain.com)' | |
| read DOMAIN | |
| #The keystore password, default is (changeit) | |
| echo 'Please enter the keystore password: default is (changeit)' | |
| read KEYSTOREPW | |
| #Letsencrypt live directory location | |
| LIVE=/etc/letsencrypt/live/$DOMAIN | |
| #Glassfish server location e.g. /opt/glassfish4/glassfish/domains/domain1 | |
| echo 'Please enter the web server root directory: e.g. (/opt/payara41)' | |
| read GFROOT | |
| if [ -d "$LIVE" ]; then | |
| if [ -d "$GFROOT" ]; then | |
| sudo mkdir temp-ssh | |
| cd temp-ssh | |
| sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out cert_and_key.p12 -name $NAME -CAfile $LIVE/chain.pem -caname root -password pass:$KEYSTOREPW | |
| sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -alias $NAME -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW | |
| sudo keytool -import -noprompt -trustcacerts -alias root -file $LIVE/chain.pem -keystore keystore.jks -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW | |
| sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name glassfish-instance -password pass:$KEYSTOREPW | |
| sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias glassfish-instance -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW | |
| sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name s1as -password pass:$KEYSTOREPW | |
| sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias s1as -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW | |
| sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out cert_and_key.p12 -name $NAME -CAfile $LIVE/chain.pem -caname root -password pass:$KEYSTOREPW | |
| sudo keytool -importkeystore -destkeystore cacerts.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -alias $NAME -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW | |
| sudo keytool -import -noprompt -trustcacerts -alias root -file $LIVE/chain.pem -keystore cacerts.jks -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW | |
| sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name glassfish-instance -password pass:$KEYSTOREPW | |
| sudo keytool -importkeystore -destkeystore cacerts.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias glassfish-instance -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW | |
| sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name s1as -password pass:$KEYSTOREPW | |
| sudo keytool -importkeystore -destkeystore cacerts.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias s1as -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW | |
| # ====== Download latest list of cacert and import it into the cacerts.jks ========== # | |
| sudo wget https://curl.haxx.se/ca/cacert.pem --no-check-certificate -O cacert.pem | |
| PEM_FILE=cacert.pem | |
| KEYSTORE=cacerts.jks | |
| # number of certs in teh PEM file | |
| CERTS=$(grep 'END CERTIFICATE' $PEM_FILE| wc -l) | |
| # For every cert in the PEM file, extract it and import into the JKS keystore | |
| # awk command: step 1, if line is in the desired cert, print the line | |
| # step 2, increment counter when last line of cert is found | |
| for N in $(seq 0 $(($CERTS - 1))); do | |
| ALIAS="${PEM_FILE%.*}-$N" | |
| echo $ALIAS | |
| cat $PEM_FILE | | |
| awk "n==$N { print }; /END CERTIFICATE/ { n++ }" | | |
| keytool -noprompt -import -trustcacerts \ | |
| -alias $ALIAS -keystore $KEYSTORE -storepass $KEYSTOREPW | |
| done | |
| # ==================================================================================== # | |
| sudo keytool -list -keystore keystore.jks -storepass $KEYSTOREPW | |
| sudo keytool -list -keystore cacerts.jks -storepass $KEYSTOREPW | |
| if [ ! -f $GFROOT/glassfish/domains/domain1/config/keystore-orig.jks ]; then | |
| echo "Backing up original files..." | |
| sudo cp -f $GFROOT/glassfish/domains/domain1/config/keystore.jks $GFROOT/glassfish/domains/domain1/config/keystore-orig.jks | |
| sudo cp -f $GFROOT/glassfish/domains/domain1/config/cacerts.jks $GFROOT/glassfish/domains/domain1/config/cacerts-orig.jks | |
| fi | |
| echo "Updating certificates..." | |
| sudo cp -f keystore.jks $GFROOT/glassfish/domains/domain1/config/keystore.jks | |
| sudo cp -f cacerts.jks $GFROOT/glassfish/domains/domain1/config/cacerts.jks | |
| cd .. | |
| sudo rm -rf temp-ssh | |
| sudo $GFROOT/bin/asadmin enable-secure-admin; | |
| sudo $GFROOT/bin/asadmin stop-domain; | |
| sudo $GFROOT/bin/asadmin start-domain; | |
| else | |
| echo 'Wrong web server location...' | |
| fi | |
| else | |
| echo 'Wrong domain name. Please make sure that certbot is installed and this domain is found in: /etc/letsencrypt/live/' | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment