EFF certbot for https?

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

EFF certbot for https?

Bill Ross-2

Has anyone tried EFF's certbot to go to https yet?

Certbot is a free, open source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS.

run Certbot once to automatically get free HTTPS certificates forever.

https://certbot.eff.org/

Bill


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: EFF certbot for https?

Steve Sobol - Lobos Studios
Not yet, I generate letsencrypt carts at sslforfree.com and manually install them. I plan to write ver it plugins for jetty, as well as a special embedded version of jetty that I run in production, but I don’t have the time now if someone isn’t paying me to do it...

On Dec 5, 2019, at 11:42, Bill Ross <[hidden email]> wrote:



Has anyone tried EFF's certbot to go to https yet?

Certbot is a free, open source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS.

run Certbot once to automatically get free HTTPS certificates forever.

https://certbot.eff.org/

Bill

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: EFF certbot for https?

philfrei
In reply to this post by Bill Ross-2
Yes. I am using it now, installed it about three weeks ago.

I made use of https://certbot.eff.org/lets-encrypt/ubuntubionic-other, with the following choices:

My HTTP website is running [none of the above] on [Ubuntu 18.04 LTS (bionic)]

I am not using Jetty in combination with Apache or Nginx or any of the other choices, as AUTHBIND is working quite well as far as allowing Jetty to access ports 80 and 443.

Maybe I should mention, I installed the Ubuntu repository "jetty9". The file structure is pretty different from that suggested in the Jetty documentation after a wget install, but the instructions for how to make use of the .pem files that CertBot provides still apply.

PS: I haven't done the step of automating renewals yet (Step 6). I'm currently working on getting an email server working and plan to come back to this once that task is done.




-----Original Message-----
From: Bill Ross <[hidden email]>
To: jetty-users <[hidden email]>
Sent: Thu, Dec 5, 2019 11:42 am
Subject: [jetty-users] EFF certbot for https?

Has anyone tried EFF's certbot to go to https yet?
Certbot is a free, open source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS.

run Certbot once to automatically get free HTTPS certificates forever.

Bill
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: EFF certbot for https?

Simone Bordet-3
In reply to this post by Bill Ross-2
Hi,

On Thu, Dec 5, 2019 at 8:42 PM Bill Ross <[hidden email]> wrote:
>
> Has anyone tried EFF's certbot to go to https yet?

We use it for our own websites, cometd.org and webtide.com.

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: EFF certbot for https?

Steve Sobol - Lobos Studios
How did you implement it, if I may ask?

I’d like to automate everything: generation and update of the certs, update of the keystore, etc.

> On Dec 5, 2019, at 13:36, Simone Bordet <[hidden email]> wrote:
>
> Hi,
>
>> On Thu, Dec 5, 2019 at 8:42 PM Bill Ross <[hidden email]> wrote:
>>
>> Has anyone tried EFF's certbot to go to https yet?
>
> We use it for our own websites, cometd.org and webtide.com.
>
> --
> Simone Bordet
> ----
> http://cometd.org
> http://webtide.com
> Developer advice, training, services and support
> from the Jetty & CometD experts.
> _______________________________________________
> jetty-users mailing list
> [hidden email]
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: EFF certbot for https?

Simone Bordet-3
Hi,

On Thu, Dec 5, 2019 at 10:57 PM Steve Sobol (Lobos Studios)
<[hidden email]> wrote:
>
> How did you implement it, if I may ask?
>
> I’d like to automate everything: generation and update of the certs, update of the keystore, etc.

We use Ubuntu.
Ubuntu ships /etc/cron.d/certbot that attempts to renew the
certificate twice a day.
You drop a shell script into /etc/letsencrypt/renewal-hooks/ and it
will be run _only_ when the certificate needs renewal.
The script we have concats certificates and private key for HAProxy
(and restarts it);
then uses openssl and keytool to generate the Java keystore and restarts Jetty.

We don't generate, just renew, but I guess with some creativity you
can script anything you want.
I'm no expert, I just found enough online to make it work for our needs.

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: EFF certbot for https?

Steve Sobol - Lobos Studios
Oh. My plan is to fire up my Python IDE :) (certbot plugins are written in Python) and actually do all the legwork through the plugin.

I mean, I run IIS and Apache in addition to my custom embedded Jetty server (which I am going to eventually make public, I swear) and the IIS and Apache servers have their SSL certs renewed automatically - I do not need to do anything. That's what I want to do with my JEE websites.

And I don't use HAProxy. I have one of my Jetty servers sitting behind nginx, but I'm in the process of moving the one site it hosts to a newer server, and then that server's going away.

-----Original Message-----
From: [hidden email] <[hidden email]> On Behalf Of Simone Bordet
Sent: Thursday, December 05, 2019 15:33
To: JETTY user mailing list <[hidden email]>
Subject: Re: [jetty-users] EFF certbot for https?

Hi,

On Thu, Dec 5, 2019 at 10:57 PM Steve Sobol (Lobos Studios) <[hidden email]> wrote:
>
> How did you implement it, if I may ask?
>
> I’d like to automate everything: generation and update of the certs, update of the keystore, etc.

We use Ubuntu.
Ubuntu ships /etc/cron.d/certbot that attempts to renew the certificate twice a day.
You drop a shell script into /etc/letsencrypt/renewal-hooks/ and it will be run _only_ when the certificate needs renewal.
The script we have concats certificates and private key for HAProxy (and restarts it); then uses openssl and keytool to generate the Java keystore and restarts Jetty.

We don't generate, just renew, but I guess with some creativity you can script anything you want.
I'm no expert, I just found enough online to make it work for our needs.

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: EFF certbot for https?

John English
In reply to this post by Steve Sobol - Lobos Studios
On 05/12/2019 23:57, Steve Sobol (Lobos Studios) wrote:
> How did you implement it, if I may ask?
>
> I’d like to automate everything: generation and update of the certs, update of the keystore, etc.

Once thing to watch out for: it always wants to install updates to its
copy of Python, and by default that's owned by root... so check who ends
up owning it, or it can get messy.

--
John English
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: EFF certbot for https?

Jared Wiltshire
We embed Jetty in our application and use certbot with a deploy hook to obtain certificates. e.g.
certbot certonly --webroot --deploy-hook "/opt/mango/bin/certbot-deploy.sh" -w "/opt/mango/web" -d yourdomain.com -d domain2.com

The script just uses openssl to generate a PKCS12 keystore and move it to our desired destination. We simply watch the keystore for changes then call org.eclipse.jetty.util.ssl.SslContextFactory.reload(Consumer<SslContextFactory>).


On Fri, Dec 6, 2019 at 3:14 AM John English <[hidden email]> wrote:
On 05/12/2019 23:57, Steve Sobol (Lobos Studios) wrote:
> How did you implement it, if I may ask?
>
> I’d like to automate everything: generation and update of the certs, update of the keystore, etc.

Once thing to watch out for: it always wants to install updates to its
copy of Python, and by default that's owned by root... so check who ends
up owning it, or it can get messy.

--
John English
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: EFF certbot for https?

Peter Boughton
In reply to this post by Bill Ross-2
I'm using Let's Encrypt certificates provided by Certbot.

I have scripted the conversion process and documented things here:

https://www.sorcerers-tower.net/articles/configuring-jetty-for-https-with-letsencrypt

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users