Skip to content

Instantly share code, notes, and snippets.

@richmilne
Last active October 18, 2020 17:46
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save richmilne/b17eac4b91c90e94974e9715685840ef to your computer and use it in GitHub Desktop.
Save richmilne/b17eac4b91c90e94974e9715685840ef to your computer and use it in GitHub Desktop.
Convert your domain's Let's Encrypt certificate (along with their intermediate certs) into a keystore that can be used with Java apps - such as Atlassian's Confluence
#!/usr/bin/env bash
# A codificiation of the steps outlined at
# https://ordina-jworks.github.io/security/2019/08/14/Using-Lets-Encrypt-Certificates-In-Java.html
# that I found relevant in getting my LE certs to work with our Confluence install.
# That page, and other sources, suggest that you might also have to import ALL the LE intermediate
# certs into the default Confluence / Java keystore ($JRE_HOME/lib/security/cacerts)
NOTIFY=webmaster@example.com
DOMAIN=www.example.com
declare -x PASSWORD=changeit
KEYSTORE=$(pwd)/${DOMAIN}
# sudo certbot certonly --standalone -m ${NOTIFY} --agree-tos --no-eff-email -d "${DOMAIN}"
LE_DIR=/etc/letsencrypt/live/${DOMAIN}
# Convert Let's Encrypt certificates to PKCS 12 archive
openssl pkcs12 -export \
-in "${LE_DIR}"/cert.pem \
-inkey "${LE_DIR}"/privkey.pem \
-out "${KEYSTORE}".p12 \
-name "${DOMAIN}" \
-CAfile "${LE_DIR}"/fullchain.pem \
-caname "Let's Encrypt Authority X3" \
-password env:PASSWORD
# Or use, for example, pass:changeit if you want to specify pwd directly
# See https://superuser.com/questions/724986/
# Import certificates into a keystore file.
keytool -importkeystore \
-srckeystore "${KEYSTORE}".p12 \
-srcstoretype PKCS12 \
-srcstorepass "${PASSWORD}" \
-destkeystore "${KEYSTORE}".jks \
-deststoretype PKCS12 \
-deststorepass "${PASSWORD}" \
-destkeypass "${PASSWORD}" \
-alias ${DOMAIN}
# Add the necessary Let's Encrypt intermediate certs
# (see https://gist.github.com/richmilne/5a5cb4be0ec8233a6c50ba40229d8278)
declare -A certs
certs[letsencryptisrgx3]=letsencryptauthorityx3
certs[letsencryptisrgx4]=letsencryptauthorityx4
KEYSTORE="${KEYSTORE}".jks
for ALIAS in ${!certs[@]}
do
FNAME="${certs[$ALIAS]}".pem.txt
wget https://letsencrypt.org/certs/${FNAME}
keytool -delete -alias $ALIAS -keystore ${KEYSTORE} -storepass ${PASSWORD} > $(pwd)/errors.txt || true
keytool -importcert -keystore ${KEYSTORE} -trustcacerts -storepass ${PASSWORD} -noprompt -alias $ALIAS -file "${FNAME}"
done
rm -v *.pem.txt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment