Skip to main content
D
Do11-Visitor
1-Visitor
October 12, 2016
Question

Install a Free SSL Certificate from Let's Encrypt in Thingworx

  • October 12, 2016
  • 7 replies
  • 12175 views

I thought I would share how to install a valid signed certificate from a new Certifcate Authority called "Lets Encrypt" https://letsencrypt.org/

Important note: Some hardware vendors who supply products that make use of the C SDK may have hard coded their firmware to only connect if you have installed an EV certificate. In that case "Lets Encrypt" certificates will not work and you will have to purchase an EV certificate from a trusted Signing Authority like digicert, symantec etc.  This may take a number of weeks and you should not expect it in less than a week as it requires a lot of administrative work to be performed.

Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open.

I have tested this on Ubuntu 14.04 LTS but I am sure you would be able to figure it out on other operating systems as well.

Reference site: https://certbot.eff.org/#ubuntutrusty-other

Reference site: https://melo.myds.me/wordpress/lets-encrypt-for-tomcat-7-on-ds/

To install your certificate:

First install and configure Java and Tomcat to the point where you would usually generate a self-signed certificate.

------Start----

$ cd

$ wget https://dl.eff.org/certbot-auto

$ chmod a+x certbot-auto

$ ./certbot-auto

$ ./certbot-auto certonly --standalone -d example.mydomain.ext --email user@example.mydomain.ext

$ cd /etc/letsencrypt/live/example.mydomain.ext/

$ openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name tomcat

            ==== you will be asked for a password here, remember it! I will call it "mypassword" for the sake of this explanation.

$ keytool -importkeystore -deststorepass mypassword -destkeypass mypassword -destkeystore MyDSKeyStore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass mypassword -alias tomcat

$ sudo cp ./MyDSKeyStore.jks $CATALINA_HOME/conf/.keystore

$ sudo chown root:tomcat8 $CATALINA_HOME/conf/.keystore

$ sudo chmod 640 $CATALINA_HOME/conf/.keystore

------End---

When you configure $CATALINA_HOME/conf/server.xml use the following for port 443:

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"

maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="${user.home}/8.0.33/conf/.keystore" keystorePass="mypassword"

clientAuth="false" sslProtocol="TLS" />

To renew your certificate:

Essentially you repeat the process above exactly as you did right in the beginning with only one minor difference.  When you run the command to generate the cert, it will offer you an option to renew the existing one.  The rest remains unchanged.  You also must remember to stop Tomcat before the procedure and then of course start it again.  If you do not you will get an error saying that the port is already in use.

Go to where you downloaded the certbot-auto file and enter these commands:

------Start----

$ sudo service tomcat8 stop

$ ./certbot-auto certonly --standalone -d example.mydomain.ext --email user@example.mydomain.ext    SELECT OPTION 2 (to renew if it has not yet expired)

$ cd /etc/letsencrypt/live/example.mydomain.ext/

Please note: When renewing you need to use the same password used to generate the initial certificate. Check Tomcat server.xml if you can't remember.

$ openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name tomcat

            ==== you will be asked for a password here, remember it! I will call it "mypassword" for the sake of this explanation.

$ keytool -importkeystore -deststorepass mypassword -destkeypass mypassword -destkeystore MyDSKeyStore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass mypassword -alias tomcat (CONFIRM OVERWRITE)

$ sudo cp ./MyDSKeyStore.jks $CATALINA_HOME/conf/.keystore

$ sudo chown root:tomcat8 $CATALINA_HOME/conf/.keystore

$ sudo chmod 640 $CATALINA_HOME/conf/.keystore

$ sudo service tomcat8 start

------End---

Use the same password with which you originally installed or alternatively update your Tomcat server.xml config

If you want to test if your certificate is installed, you can do so from the command line by issuing the following:

$ curl https://example.mydomain.ext/ --tlsv1.2 --verbose

Notes:

All items in GREEN should be modified to suit your environment / password policies.

----------------------------------------------------------------------------------------------------------------

Message was edited by: Duan Gauché Correction: Incorrect: "When you configure $CATALINA_HOME/conf/context.xml use the following for port 443:" now corrected to: "When you configure $CATALINA_HOME/conf/server.xml use the following for port 443:"

Message was edited by: Duan Gauché Added instructions to renew the certificates.

Message was edited by: Duan Gauché - Added stop and start commands for Tomcat to avoid the socket in use error when renewing. - Thanks for the reminder Pascal

    7 replies

    T
    ttielebein5-Regular Member
    5-Regular Member
    October 12, 2016

    This is very useful information. Thanks for sharing this!

      D
      Do11-VisitorAuthor
      1-Visitor
      October 12, 2016

      You are welcome!

      P
      pjoly1-Visitor
      1-Visitor
      November 14, 2016

      it works fine (I was losing hours with other tutorials; you save my life   !!)

      D
      Do11-VisitorAuthor
      1-Visitor
      November 14, 2016

      Always happy to save a life!

      P
      pjoly1-Visitor
      1-Visitor
      January 15, 2017

      Hello

      do you have a procedure to renew the certificate after 90 days ?

      I tried with "letsenscript renew" but it got this error:

      2017-01-15 07:53:28,164:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/myserver.conf produced an unexpected error: At least one of the (possibly) required ports is already taken.. Skipping.

      Thanks

      D
      Do11-VisitorAuthor
      1-Visitor
      January 15, 2017

      I should have included it in my original post, but here it is:

      Essentially you repeat the process above exactly as you did right in the beginning with only one minor difference.  When you run the command to generate the cert, it will offer you an option to renew the existing one.  The rest remains unchanged. You also must remember to stop Tomcat before the procedure and then of course start it again.  If you do not you will get an error saying that the port is already in use.

      Go to where you downloaded the certbot-auto file and enter these commands:

      $ sudo service tomcat8 stop

      $ ./certbot-auto certonly --standalone -d example.mydomain.ext --email user@example.mydomain.ext.    SELECT OPTION 2 (to renew)

      $ cd /etc/letsencrypt/live/example.mydomain.ext/

      $ openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name tomcat

                  ==== you will be asked for a password here, remember it! I will call it "mypassword" for the sake of this explanation.

      $ keytool -importkeystore -deststorepass mypassword -destkeypass mypassword -destkeystore MyDSKeyStore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass mypassword -alias tomcat   CONFIRM OVERWRITE

      $ sudo cp ./MyDSKeyStore.jks $CATALINA_HOME/conf/.keystore.

      $ sudo chown root:tomcat8 $CATALINA_HOME/conf/.keystore

      $ sudo chmod 640 $CATALINA_HOME/conf/.keystore

      $ sudo service tomcat8 start

      Use the same password with which you originally installed or alternatively update your Tomcat server.xml config

        P
        pjoly1-Visitor
        1-Visitor
        January 15, 2017

        Thanks a lot

        It works fine

        just a precision to add (at least for me) :

        I have to stop first the service tomcat8 otherwhile I have the port 443 already in use when executing ./certbot-auto

        Pascal

        PS : I think that your procedure should be added in the Thingworx installation guide !!

        D
        Do11-VisitorAuthor
        1-Visitor
        April 6, 2017

        Please note: When renewing your certificate, you need to use the same password used to generate the initial certificate. Check Tomcat server.xml if you can't remember.

        Q
        qngo1-Visitor
        1-Visitor
        April 25, 2017

        I could install the SSL certificate for Tomcat by following your article. But after that, the remote device can't connect to the server (using C SDK) with error:

        TW_VALIDATE_CERT: Certificate rejected. Code: 20, Reason = unable to get local issuer certificate

        twTlsClient_Connect: Error intializing TLS connection. Invalid certificate

        Do you have any clue about this problem ?

        D
        Do11-VisitorAuthor
        1-Visitor
        April 28, 2017

        I have heard of this once before from someone else.  I am sorry, I can't be of more assistance, but I believe you may need to update to the most recent version of the SDK.

        Please post back here if you figure it out.

        B
        burak1-Visitor
        1-Visitor
        December 6, 2017

        Hello Duan,

        Thanks for sharing useful info. I want to ask question before try it. My thingworx works on windows os instance. If I follow below steps, is it ok for my scnerio?;

        1. I will generate certificate on Linux VM with your tutorial,

        2. I will copy certificate to Thingworx instance which is windows os,

        3. Restart Tomcat,

        Regards,

        D
        Do11-VisitorAuthor
        1-Visitor
        December 7, 2017

        Hi Burak,

        I guess it is likely to work, but it might just be easier doing it in windows.

        This might be a good place to start: https://github.com/Lone-Coder/letsencrypt-win-simple/wiki

        Please post your experience.

        Terms & ConditionsAccessibility statement