-
Notifications
You must be signed in to change notification settings - Fork 148
/
Copy pathletsencrypt-ssl.sh
executable file
·66 lines (53 loc) · 2.61 KB
/
letsencrypt-ssl.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#!/bin/bash
#
# LetsEncrypt renewal script for Headwind MDM
#
# Set this parameter to 1 if you're redirecting port 80 to 8080 to be able to run Headwind MDM on port 80
HTTP_REDIRECT=0
DOMAIN=your-domain.com
TOMCAT_HOME=$(ls -d /var/lib/tomcat* | tail -n1)
TOMCAT_USER=$(ls -ld $TOMCAT_HOME/webapps | awk '{print $3}')
TOMCAT_SERVICE=$(echo $TOMCAT_HOME | awk '{n=split($1,A,"/"); print A[n]}')
SSL_DIR=$TOMCAT_HOME/ssl
PASSWORD=123456
if [ "$DOMAIN" = "your-domain.com" ]; then
echo "Please edit this script and update HTTP_REDIRECT and DOMAIN variables!"
exit 1
fi
# Remove HTTP redirection to tomcat so certbot could verify the domain
if [ "$HTTP_REDIRECT" = "1" ]; then
/sbin/iptables -D PREROUTING -t nat -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
fi
if [ ! -d $SSL_DIR ]; then
mkdir -p $SSL_DIR
fi
certbot certonly --agree-tos --no-eff-email --standalone --force-renewal -d $DOMAIN
# Add the HTTP rule back
if [ "$HTTP_REDIRECT" = "1" ]; then
/sbin/iptables -A PREROUTING -t nat -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
fi
# TODO: here we should check that certbot actually renewed the certificate!
CERTBOT_DIR=/etc/letsencrypt/live/$DOMAIN
openssl pkcs12 -export -out $SSL_DIR/$DOMAIN.p12 -inkey $CERTBOT_DIR/privkey.pem -in $CERTBOT_DIR/cert.pem -certfile $CERTBOT_DIR/fullchain.pem -password pass:$PASSWORD
keytool -importkeystore -destkeystore $SSL_DIR/$DOMAIN.jks -srckeystore $SSL_DIR/$DOMAIN.p12 -srcstoretype PKCS12 -srcstorepass $PASSWORD -deststorepass $PASSWORD -noprompt
chown -R $TOMCAT_USER:$TOMCAT_USER $SSL_DIR
ENCRYPTION=RSA
CERTBOT_VERSION=`certbot --version | awk '{print $2}' | awk '{n=split($1,A,"."); print A[1]}'`
if [ "$CERTBOT_VERSION" != "" ] && [ "$CERTBOT_VERSION" -ge "2" ]; then
# In certbot 2, default encryption is ECDSA so we need to adjust it in Tomcat config
ENCRYPTION=EC
fi
echo "The certificates should be stored here: $SSL_DIR/$DOMAIN.jks"
echo "Please add / uncomment the following section in $TOMCAT_HOME/conf/server.xml:"
echo "<Connector port=\"8443\" protocol=\"org.apache.coyote.http11.Http11NioProtocol\""
echo " maxThreads=\"150\" SSLEnabled=\"true\">"
echo " <SSLHostConfig>"
echo " <Certificate certificateKeystoreFile=\"$SSL_DIR/$DOMAIN.jks\""
echo " type=\"$ENCRYPTION\" certificateKeystorePassword=\"$PASSWORD\" />"
echo " </SSLHostConfig>"
echo "</Connector>"
# This line is required when you refresh the certificates because Tomcat needs
# to be restarted to load a new certificate.
# Here we assume the service has the same name as the Tomcat directory
# (e.g. tomcat9)
/usr/sbin/service $TOMCAT_SERVICE restart