Last active
August 9, 2024 12:34
-
-
Save galan/ec8b5f92dd325a97e2f66e524d28aaf8 to your computer and use it in GitHub Desktop.
Imports the letsencrypt certificates into the java keystore
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash -e | |
| # JAVA_HOME can be passed as argument if not set | |
| if [ ! -d $JAVA_HOME ]; then | |
| JAVA_HOME=${1} | |
| fi | |
| KEYSTORE=$JAVA_HOME/jre/lib/security/cacerts | |
| if [ ! -f "$KEYSTORE" ]; then | |
| echo "Keystore not found in '$KEYSTORE'" | |
| exit 1 | |
| fi | |
| cp $KEYSTORE $KEYSTORE.`date +"%Y%m%d%H%m%S"` | |
| wget https://letsencrypt.org/certs/letsencryptauthorityx1.der | |
| wget https://letsencrypt.org/certs/letsencryptauthorityx2.der | |
| wget https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.der | |
| wget https://letsencrypt.org/certs/lets-encrypt-x2-cross-signed.der | |
| wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.der | |
| wget https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.der | |
| # to be idempotent | |
| keytool -delete -alias isrgrootx1 -keystore $KEYSTORE -storepass changeit 2> /dev/null || true | |
| keytool -delete -alias isrgrootx2 -keystore $KEYSTORE -storepass changeit 2> /dev/null || true | |
| keytool -delete -alias letsencryptauthorityx1 -keystore $KEYSTORE -storepass changeit 2> /dev/null || true | |
| keytool -delete -alias letsencryptauthorityx2 -keystore $KEYSTORE -storepass changeit 2> /dev/null || true | |
| keytool -delete -alias letsencryptauthorityx3 -keystore $KEYSTORE -storepass changeit 2> /dev/null || true | |
| keytool -delete -alias letsencryptauthorityx4 -keystore $KEYSTORE -storepass changeit 2> /dev/null || true | |
| keytool -trustcacerts -keystore $KEYSTORE -storepass changeit -noprompt -importcert -alias isrgrootx1 -file letsencryptauthorityx1.der | |
| keytool -trustcacerts -keystore $KEYSTORE -storepass changeit -noprompt -importcert -alias isrgrootx2 -file letsencryptauthorityx2.der | |
| keytool -trustcacerts -keystore $KEYSTORE -storepass changeit -noprompt -importcert -alias letsencryptauthorityx1 -file lets-encrypt-x1-cross-signed.der | |
| keytool -trustcacerts -keystore $KEYSTORE -storepass changeit -noprompt -importcert -alias letsencryptauthorityx2 -file lets-encrypt-x2-cross-signed.der | |
| keytool -trustcacerts -keystore $KEYSTORE -storepass changeit -noprompt -importcert -alias letsencryptauthorityx3 -file lets-encrypt-x3-cross-signed.der | |
| keytool -trustcacerts -keystore $KEYSTORE -storepass changeit -noprompt -importcert -alias letsencryptauthorityx4 -file lets-encrypt-x4-cross-signed.der | |
| rm -f letsencryptauthorityx1.der letsencryptauthorityx2.der lets-encrypt-x1-cross-signed.der lets-encrypt-x2-cross-signed.der lets-encrypt-x3-cross-signed.der lets-encrypt-x4-cross-signed.der |
If you don't have set PATH to $JAVA_HOME/jre/bin/ then keytool won't work.
Here a simple fix:
change all commands "keytool" with this:
$JAVA_HOME/jre/bin/keytool
Please refer to LetsEncrypt's Chain of Trust document for up-to-date references.
Hint: I needed to adapt the script to download and install https://letsencrypt.org/certs/lets-encrypt-r3.der
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks for doing the initial work in this @galan.
I've forked your version to update it with information on the current set (as of 2020-02-07) of Let's Encrypt's intermediate certs. At the same time I've incorporated @amcsSH's suggestion above, and used the Bash 4 dictionary feature to remove the redundant duplication of certificate names and files.