Last active
October 18, 2020 17:46
-
-
Save richmilne/b17eac4b91c90e94974e9715685840ef to your computer and use it in GitHub Desktop.
Convert your domain's Let's Encrypt certificate (along with their intermediate certs) into a keystore that can be used with Java apps - such as Atlassian's Confluence
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # A codificiation of the steps outlined at | |
| # https://ordina-jworks.github.io/security/2019/08/14/Using-Lets-Encrypt-Certificates-In-Java.html | |
| # that I found relevant in getting my LE certs to work with our Confluence install. | |
| # That page, and other sources, suggest that you might also have to import ALL the LE intermediate | |
| # certs into the default Confluence / Java keystore ($JRE_HOME/lib/security/cacerts) | |
| [email protected] | |
| DOMAIN=www.example.com | |
| declare -x PASSWORD=changeit | |
| KEYSTORE=$(pwd)/${DOMAIN} | |
| # sudo certbot certonly --standalone -m ${NOTIFY} --agree-tos --no-eff-email -d "${DOMAIN}" | |
| LE_DIR=/etc/letsencrypt/live/${DOMAIN} | |
| # Convert Let's Encrypt certificates to PKCS 12 archive | |
| openssl pkcs12 -export \ | |
| -in "${LE_DIR}"/cert.pem \ | |
| -inkey "${LE_DIR}"/privkey.pem \ | |
| -out "${KEYSTORE}".p12 \ | |
| -name "${DOMAIN}" \ | |
| -CAfile "${LE_DIR}"/fullchain.pem \ | |
| -caname "Let's Encrypt Authority X3" \ | |
| -password env:PASSWORD | |
| # Or use, for example, pass:changeit if you want to specify pwd directly | |
| # See https://superuser.com/questions/724986/ | |
| # Import certificates into a keystore file. | |
| keytool -importkeystore \ | |
| -srckeystore "${KEYSTORE}".p12 \ | |
| -srcstoretype PKCS12 \ | |
| -srcstorepass "${PASSWORD}" \ | |
| -destkeystore "${KEYSTORE}".jks \ | |
| -deststoretype PKCS12 \ | |
| -deststorepass "${PASSWORD}" \ | |
| -destkeypass "${PASSWORD}" \ | |
| -alias ${DOMAIN} | |
| # Add the necessary Let's Encrypt intermediate certs | |
| # (see https://gist.github.com/richmilne/5a5cb4be0ec8233a6c50ba40229d8278) | |
| declare -A certs | |
| certs[letsencryptisrgx3]=letsencryptauthorityx3 | |
| certs[letsencryptisrgx4]=letsencryptauthorityx4 | |
| KEYSTORE="${KEYSTORE}".jks | |
| for ALIAS in ${!certs[@]} | |
| do | |
| FNAME="${certs[$ALIAS]}".pem.txt | |
| wget https://letsencrypt.org/certs/${FNAME} | |
| keytool -delete -alias $ALIAS -keystore ${KEYSTORE} -storepass ${PASSWORD} > $(pwd)/errors.txt || true | |
| keytool -importcert -keystore ${KEYSTORE} -trustcacerts -storepass ${PASSWORD} -noprompt -alias $ALIAS -file "${FNAME}" | |
| done | |
| rm -v *.pem.txt |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment