cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Install a Free SSL Certificate from Let's Encrypt in Thingworx

Do1
Regular Member

Install a Free SSL Certificate from Let's Encrypt in Thingworx

I thought I would share how to install a valid signed certificate from a new Certifcate Authority called "Lets Encrypt" https://letsencrypt.org/

Important note: Some hardware vendors who supply products that make use of the C SDK may have hard coded their firmware to only connect if you have installed an EV certificate. In that case "Lets Encrypt" certificates will not work and you will have to purchase an EV certificate from a trusted Signing Authority like digicert, symantec etc.  This may take a number of weeks and you should not expect it in less than a week as it requires a lot of administrative work to be performed.

Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open.

I have tested this on Ubuntu 14.04 LTS but I am sure you would be able to figure it out on other operating systems as well.

Reference site: https://certbot.eff.org/#ubuntutrusty-other

Reference site: https://melo.myds.me/wordpress/lets-encrypt-for-tomcat-7-on-ds/

To install your certificate:

First install and configure Java and Tomcat to the point where you would usually generate a self-signed certificate.

------Start----

$ cd

$ wget https://dl.eff.org/certbot-auto

$ chmod a+x certbot-auto

$ ./certbot-auto

$ ./certbot-auto certonly --standalone -d example.mydomain.ext --email user@example.mydomain.ext

$ cd /etc/letsencrypt/live/example.mydomain.ext/

$ openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name tomcat

            ==== you will be asked for a password here, remember it! I will call it "mypassword" for the sake of this explanation.

$ keytool -importkeystore -deststorepass mypassword -destkeypass mypassword -destkeystore MyDSKeyStore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass mypassword -alias tomcat

$ sudo cp ./MyDSKeyStore.jks $CATALINA_HOME/conf/.keystore

$ sudo chown root:tomcat8 $CATALINA_HOME/conf/.keystore

$ sudo chmod 640 $CATALINA_HOME/conf/.keystore

------End---

When you configure $CATALINA_HOME/conf/server.xml use the following for port 443:

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"

maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="${user.home}/8.0.33/conf/.keystore" keystorePass="mypassword"

clientAuth="false" sslProtocol="TLS" />

To renew your certificate:

Essentially you repeat the process above exactly as you did right in the beginning with only one minor difference.  When you run the command to generate the cert, it will offer you an option to renew the existing one.  The rest remains unchanged.  You also must remember to stop Tomcat before the procedure and then of course start it again.  If you do not you will get an error saying that the port is already in use.

Go to where you downloaded the certbot-auto file and enter these commands:

------Start----

$ sudo service tomcat8 stop

$ ./certbot-auto certonly --standalone -d example.mydomain.ext --email user@example.mydomain.ext    SELECT OPTION 2 (to renew if it has not yet expired)

$ cd /etc/letsencrypt/live/example.mydomain.ext/

Please note: When renewing you need to use the same password used to generate the initial certificate. Check Tomcat server.xml if you can't remember.

$ openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name tomcat

            ==== you will be asked for a password here, remember it! I will call it "mypassword" for the sake of this explanation.

$ keytool -importkeystore -deststorepass mypassword -destkeypass mypassword -destkeystore MyDSKeyStore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass mypassword -alias tomcat (CONFIRM OVERWRITE)

$ sudo cp ./MyDSKeyStore.jks $CATALINA_HOME/conf/.keystore

$ sudo chown root:tomcat8 $CATALINA_HOME/conf/.keystore

$ sudo chmod 640 $CATALINA_HOME/conf/.keystore

$ sudo service tomcat8 start

------End---

Use the same password with which you originally installed or alternatively update your Tomcat server.xml config

If you want to test if your certificate is installed, you can do so from the command line by issuing the following:

$ curl https://example.mydomain.ext/ --tlsv1.2 --verbose

Notes:

All items in GREEN should be modified to suit your environment / password policies.

----------------------------------------------------------------------------------------------------------------

Message was edited by: Duan Gauché Correction: Incorrect: "When you configure $CATALINA_HOME/conf/context.xml use the following for port 443:" now corrected to: "When you configure $CATALINA_HOME/conf/server.xml use the following for port 443:"

Message was edited by: Duan Gauché Added instructions to renew the certificates.

Message was edited by: Duan Gauché - Added stop and start commands for Tomcat to avoid the socket in use error when renewing. - Thanks for the reminder Pascal

15 REPLIES 15

Re: Install a Free SSL Certificate from Let's Encrypt in Thingworx

This is very useful information. Thanks for sharing this!

Re: Install a Free SSL Certificate from Let's Encrypt in Thingworx

You are welcome!

Re: Install a Free SSL Certificate from Let's Encrypt in Thingworx

it works fine (I was losing hours with other tutorials; you save my life   !!)

Re: Install a Free SSL Certificate from Let's Encrypt in Thingworx

Always happy to save a life!

Re: Install a Free SSL Certificate from Let's Encrypt in Thingworx

Hello

do you have a procedure to renew the certificate after 90 days ?

I tried with "letsenscript renew" but it got this error:

2017-01-15 07:53:28,164:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/myserver.conf produced an unexpected error: At least one of the (possibly) required ports is already taken.. Skipping.

Thanks

Re: Install a Free SSL Certificate from Let's Encrypt in Thingworx

I should have included it in my original post, but here it is:

Essentially you repeat the process above exactly as you did right in the beginning with only one minor difference.  When you run the command to generate the cert, it will offer you an option to renew the existing one.  The rest remains unchanged. You also must remember to stop Tomcat before the procedure and then of course start it again.  If you do not you will get an error saying that the port is already in use.

Go to where you downloaded the certbot-auto file and enter these commands:

$ sudo service tomcat8 stop

$ ./certbot-auto certonly --standalone -d example.mydomain.ext --email user@example.mydomain.ext.    SELECT OPTION 2 (to renew)

$ cd /etc/letsencrypt/live/example.mydomain.ext/

$ openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name tomcat

            ==== you will be asked for a password here, remember it! I will call it "mypassword" for the sake of this explanation.

$ keytool -importkeystore -deststorepass mypassword -destkeypass mypassword -destkeystore MyDSKeyStore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass mypassword -alias tomcat   CONFIRM OVERWRITE

$ sudo cp ./MyDSKeyStore.jks $CATALINA_HOME/conf/.keystore.

$ sudo chown root:tomcat8 $CATALINA_HOME/conf/.keystore

$ sudo chmod 640 $CATALINA_HOME/conf/.keystore

$ sudo service tomcat8 start

Use the same password with which you originally installed or alternatively update your Tomcat server.xml config

Re: Install a Free SSL Certificate from Let's Encrypt in Thingworx

Thanks a lot

It works fine

just a precision to add (at least for me) :

I have to stop first the service tomcat8 otherwhile I have the port 443 already in use when executing ./certbot-auto

Pascal

PS : I think that your procedure should be added in the Thingworx installation guide !!

Re: Install a Free SSL Certificate from Let's Encrypt in Thingworx

Thanks Pascal!

I wanted to add the start/stop notes about Tomcat, but forgot.  Your post reminded me and I updated accordigly.

I am sure we could automate the procedure for every 60 days with a script and cron, but I don't have time to figure it out now.  Maybe later.

Re: Install a Free SSL Certificate from Let's Encrypt in Thingworx

Yes, I'll also automate iit with a script in a crontab, as I have 5 servers to manage with letsencript certificates.

Fortunately the other one are simpler than with Thingworx/tomcat  (for apache, just "letsenscript renew")

There are many examples on the web to test the validity and to renew before expiration , I'll adapt

Pascal