-
-
Save richmilne/5a5cb4be0ec8233a6c50ba40229d8278 to your computer and use it in GitHub Desktop.
Import Let's Encrypt certificates into Java's trusted keystore (cacerts)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash -e | |
# A codificiation of the steps outlined at | |
# https://ordina-jworks.github.io/security/2019/08/14/Using-Lets-Encrypt-Certificates-In-Java.html | |
CERT_EXT=der | |
# JAVA_HOME can be passed as argument if not set | |
if [[ -z ${JAVA_HOME+x} ]] || [[ ! -d ${JAVA_HOME} ]]; then | |
JAVA_HOME=${1} | |
fi | |
KEYSTORE="$JAVA_HOME/jre/lib/security/cacerts" | |
if [ ! -f "$KEYSTORE" ]; then | |
echo "Keystore not found in '$KEYSTORE'" | |
exit 1 | |
fi | |
cp "$KEYSTORE" "$KEYSTORE.$(date +"%Y-%m-%dT%H:%m:%S")" | |
# Make sure the keytool is on our path | |
PATH=${PATH}:${JAVA_HOME}/jre/bin/ | |
# List of downloads updated based on information found at | |
# https://letsencrypt.org/certificates/ (Last updated 2021-08-17) | |
# Depending on your application, you may or may not need the intermediate certificates. | |
certs=( | |
# Root Certificates | |
isrgrootx1 | |
isrg-root-x1-cross-signed | |
isrg-root-x2 | |
isrg-root-x2-cross-signed | |
# Intermediate Certificates | |
lets-encrypt-r3 | |
lets-encrypt-r3-cross-signed # Retired | |
lets-encrypt-e1 | |
lets-encrypt-r4 | |
lets-encrypt-r4-cross-signed # Retired | |
lets-encrypt-e2 | |
letsencryptauthorityx1 | |
lets-encrypt-x1-cross-signed # Retired | |
letsencryptauthorityx2 # Retired | |
lets-encrypt-x2-cross-signed # Retired | |
letsencryptauthorityx3 # Retired | |
lets-encrypt-x3-cross-signed # Retired | |
letsencryptauthorityx4 # Retired | |
lets-encrypt-x4-cross-signed # Retired | |
) | |
for ALIAS in "${certs[@]}" | |
do | |
FNAME="$ALIAS".$CERT_EXT | |
echo "Downloading '$FNAME'..." | |
wget -nv "https://letsencrypt.org/certs/${FNAME}" >>./errors.txt 2>&1 || true | |
# to be idempotent, ensure new keys are removed from store | |
echo "Deleting '$ALIAS' from '${KEYSTORE}'..." | |
keytool -delete -alias "$ALIAS" -keystore "$KEYSTORE" -storepass changeit 2>/dev/null || true | |
keytool -trustcacerts -keystore "$KEYSTORE" -storepass changeit -noprompt -importcert -alias "$ALIAS" -file "$FNAME" | |
done | |
rm -vf ./*.${CERT_EXT}* |
Thanks for spotting that, @rjshrjndrn - I've corrected the omission.
As for your comment that the script should be run as root user: yes, that is the usage envisaged by the upstream creator:
sudo ./import-letsencrypt-java.sh "$JAVA_HOME"
Ah, correct!!!
and where should we set $JAVA_HOME
?
So either it should be
sudo JAVA_HOME=/path/to/java bash /import-letsencrypt-java.sh "$JAVA_HOME"
or
sudo ./import-letsencrypt-java.sh /path/to/hava
@danielsz, does this fork help?
This looks great. Thank you, @richmilne.
Hi! I have adapted it to my needs and it works perfectly!
Thank you so much! @richmilne
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Line number 7 should be changed to
And you'll have to run this script as the root user. so better hardcode the
JAVA_HOME
at the beginning.