Forked from galan/import-letsencrypt-java.sh
Last active
December 15, 2021 16:41
Import Let's Encrypt certificates into Java's trusted keystore (cacerts)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash -e | |
# A codificiation of the steps outlined at | |
# https://ordina-jworks.github.io/security/2019/08/14/Using-Lets-Encrypt-Certificates-In-Java.html | |
CERT_EXT=der | |
# JAVA_HOME can be passed as argument if not set | |
if [[ -z ${JAVA_HOME+x} ]] || [[ ! -d ${JAVA_HOME} ]]; then | |
JAVA_HOME=${1} | |
fi | |
KEYSTORE="$JAVA_HOME/jre/lib/security/cacerts" | |
if [ ! -f "$KEYSTORE" ]; then | |
echo "Keystore not found in '$KEYSTORE'" | |
exit 1 | |
fi | |
cp "$KEYSTORE" "$KEYSTORE.$(date +"%Y-%m-%dT%H:%m:%S")" | |
# Make sure the keytool is on our path | |
PATH=${PATH}:${JAVA_HOME}/jre/bin/ | |
# List of downloads updated based on information found at | |
# https://letsencrypt.org/certificates/ (Last updated 2021-08-17) | |
# Depending on your application, you may or may not need the intermediate certificates. | |
certs=( | |
# Root Certificates | |
isrgrootx1 | |
isrg-root-x1-cross-signed | |
isrg-root-x2 | |
isrg-root-x2-cross-signed | |
# Intermediate Certificates | |
lets-encrypt-r3 | |
lets-encrypt-r3-cross-signed # Retired | |
lets-encrypt-e1 | |
lets-encrypt-r4 | |
lets-encrypt-r4-cross-signed # Retired | |
lets-encrypt-e2 | |
letsencryptauthorityx1 | |
lets-encrypt-x1-cross-signed # Retired | |
letsencryptauthorityx2 # Retired | |
lets-encrypt-x2-cross-signed # Retired | |
letsencryptauthorityx3 # Retired | |
lets-encrypt-x3-cross-signed # Retired | |
letsencryptauthorityx4 # Retired | |
lets-encrypt-x4-cross-signed # Retired | |
) | |
for ALIAS in "${certs[@]}" | |
do | |
FNAME="$ALIAS".$CERT_EXT | |
echo "Downloading '$FNAME'..." | |
wget -nv "https://letsencrypt.org/certs/${FNAME}" >>./errors.txt 2>&1 || true | |
# to be idempotent, ensure new keys are removed from store | |
echo "Deleting '$ALIAS' from '${KEYSTORE}'..." | |
keytool -delete -alias "$ALIAS" -keystore "$KEYSTORE" -storepass changeit 2>/dev/null || true | |
keytool -trustcacerts -keystore "$KEYSTORE" -storepass changeit -noprompt -importcert -alias "$ALIAS" -file "$FNAME" | |
done | |
rm -vf ./*.${CERT_EXT}* |
Thanks for spotting that, @rjshrjndrn - I've corrected the omission.
As for your comment that the script should be run as root user: yes, that is the usage envisaged by the upstream creator:
sudo ./import-letsencrypt-java.sh "$JAVA_HOME"
Ah, correct!!!
and where should we set $JAVA_HOME
?
So either it should be
sudo JAVA_HOME=/path/to/java bash /import-letsencrypt-java.sh "$JAVA_HOME"
or
sudo ./import-letsencrypt-java.sh /path/to/hava
@danielsz, does this fork help?
This looks great. Thank you, @richmilne.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Line number 7 should be changed to
And you'll have to run this script as the root user. so better hardcode the
JAVA_HOME
at the beginning.