Confusion on adding https for Ubuntu distribution's Jetty

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Confusion on adding https for Ubuntu distribution's Jetty

philfrei
I have Ubuntu 18.04 LTS and installed the repository Jetty: 9.4.15-1~18.04.1ubuntu1. I have managed to configure DNS and am able to read off of port 80 using AUTHBIND.

But I am very confused about how to set up https. A lot of the confusion is probably because of difference between the Jetty documentation (which assumes installation via wget) and the way that Ubuntu/Jetty distribution is spread out over many different directories and implemented as a systemd service.

1)
To create the keystore, I am using CertBot (a wrapper for Let's Encrypt), and AFAIK successfully created a PKCS12 file using the instructions at "Loading Keys and Certificates via PKCS12"

The commands were:
$ openssl pkcs12 -inkey jetty.key -in jetty.crt -export -out jetty.pkcs12
$ keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore

Now, I am not clear where to put the "keystore" file that I created.

The documentation, a little ways below refers to the location $JETTY/etc/keystore. With Ubuntu 18.04, we have /etc/jetty9 file folder that holds start.ini, a start.d directory and many .xml files. Should the "keystore" file reside there?

Further down, a reference is made to "Configuring the Jetty SslContextFactory", where there is mentioned a property(?) "setKeyStorePath" but no examples. Is this a reference to and edit to be made in the XML file jetty-https.xml, or is it to an edit to be made in https.ini?

There is a warning note: "As a keystore is vital security information, it can be desirable to locate the file in a directory with very restricted access." The directory /etc/jetty9 is NOT particularly well protected.

2)
I have tried to generate an https.ini file but am failing.

Ubuntu repository's Jetty was automatically set up as a systemd service. The $JETTY_HOME is declared to be /usr/share/jetty9, and this directory contains a symlink to start.jar. The systemd configuration file does NOT declare a $JETTY_BASE. There is a reference to the directory /var/lib/jetty9, which holds the /webapps directory. But there is neither a start.ini file nor a start.d directory in this location. (Should there be?)

In order to generate an https.ini, or have it added to start.ini, I have tried:

    /var/lib/jetty9$ java -jar /usr/share/jetty9/start.jar --add-to-start=https

also

    /etc/jetty9$ jar -jar /usr/share/jetty9/start.jar --add-to-start=https

But in both cases, I get the error message:

    ERROR : Unknown module='deploy'. List available with --list-modules

I'm guessing this has to do with a reference to the "deploy" module in /etc/jetty9/start.ini (copied below):

start.ini

    #------------------------------------------------------------------------------
    #
    # Jetty Startup Configuration
    #
    # This file contains the default settings for Jetty and configures a basic
    # Servlet container with JSP and WebSocket enabled. Customized settings can
    # be added to .ini files in the /etc/jetty9/start.d directory to avoid
    # conflicts when updating the package.
    #
    #------------------------------------------------------------------------------

    --module=deploy,http,jsp,jstl,websocket,ext,resources

    ##
    ## HTTP Connector Configuration
    ##

    # What host to listen on (leave commented to listen on all interfaces)
    #jetty.host=myhost.com

    # HTTP port to listen on
    # Enable authbind in /etc/default/jetty9 to use a port lower than 1024
    jetty.port=80

    # HTTP idle timeout in milliseconds
    http.timeout=30000


    ##
    ## Server Threading Configuration
    ##

    # minimum number of threads
    threads.min=10

    # maximum number of threads
    threads.max=200

    # thread idle timeout in milliseconds
    threads.timeout=60000
   

The advice in the first comment in this start.ini confuses me. The jetty documentation clearly states one should NOT have both a start.ini and a start.d at the same time.

Some assistance would be much appreciated. I'm wondering if I should just chuck the Ubuntu Jetty and load the current version via wget. At least then, the documentation would be better aligned.

Thanks!


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: Confusion on adding https for Ubuntu distribution's Jetty

Peter Boughton
Hi Phil,

> I'm wondering if I should just chuck the Ubuntu Jetty

If it doesn't use JETTY_BASE properly, that's what I would do.

Especially given the deploy error you mention - which suggests an
incorrect configuration, if Jetty can't find its own built-in module.

(Alternatively, you could ask the Ubuntu maintainer if they have a
reason for the setup they use, and if so where they would recommend the
keystore file going.)


Once you have a working JETTY_BASE setup, and a valid keystore file,
then configuring HTTPS can be just a matter of enabling the module
(--module=https in start.ini) plus creating a new XML config file
{jetty-base}/etc/jetty-ssl-context.xml which points to the keystore.

(It'd be much nicer to point direct to the Let's Encrypt certificate,
but that's not an option.)

Anyway, if you're still having problems after that, I have some notes
written up on the process that I can share.


Regards,

Peter Boughton
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users