Differences

This shows you the differences between two versions of the page.

--- en:user_advanced:gs3_https [2025/02/13 00:29] – [Automatic certificate renewal for Tomcat (Greenstone 3.12)] kjdon
+++ en:user_advanced:gs3_https [2025/02/13 01:02] (current) – [Using Apache to reverse proxy Tomcat] kjdon
@@ Line 6: / Line 6: @@
 ===== Using Apache to reverse proxy Tomcat =====
+Install and setup Apache with certbot SSL certificates. Then in the le-ssl.conf file (eg /etc/httpd/sites-enabled/000-defualt-le-ssl.conf) add teh following into the <VirtualHost *:443> node:
+       ProxyPass /greenstone3 http://localhost:8383/greenstone3
+       ProxyPassReverse /greenstone3 http://localhost:8383/greenstone3
+       <Location /greenstone3>
+            ProxyPassReverseCookiePath /greenstone3 /greenstone3
+       </Location>
+       ProxyPass /webswing-server/ http://localhost:8383/webswing-server/ upgrade=websocket
+In build.properties, you will need to set the revproxy settings:
+    revproxy.protocol=https
+    revproxy.domain=<DOMAIN>
+    ##revproxy.opt_port=8080  - this can stay commented out if you don't want a port number to appear in the public URL
+    ##revproxy.context=/greenstone3  - this can stay commented out if you are using the same context as greenstone3.context
 ===== Linux: Getting SSL certificates using certbot =====
-A
 To have your webserver running under https, you need an SSL certificate. Many hosting platforms have tools to let you use HTTPS. See [[https://certbot.eff.org/hosting_providers]] to check your hosting provider.
@@ Line 19: / Line 38: @@
 Take note of the "What you need" section. Then, choose your webserver ('apache' or 'other' for Tomcat) and operating system, and it will give you instructions to install certbot, plus also instructions to run it to get certificates.
+Port 80 must be open to obtain and renew a certificate.
 Once you have certbot installed, if you are using Apache, you can run
@@ Line 72: / Line 92: @@
 ''sudo systemctl status snap.certbot.renew.timer'' - I think will show if there is an override file being used.
+===== Setting up Tomcat with SSL Certificates =====
+Greenstone provides some ant targets to help you set up Tomcat with HTTPS.
+  * ''setup-https-cert'' - will run certbot to generate a certificate. certbot doesn't generate files in a form that Tomcat likes, so this will run an extra step of converting the files to Tomcat's preferred version, and installing them into Tomcat.
+  * ''renew-existing-https-cert'' - will run the certbot renew command, and then do the conversion.
+  * ''install-https-cert-linux'' - will just run the conversion step to get an existing certificate into Tomcat - run this once your certificate has renewed automatically.
+  * ''install-https-cert-linux-nopwd'' - as above, but is set up so that you can automate this. See below.
 ==== Automatic certificate renewal for Tomcat (Greenstone 3.12) ====
-While certbot sets up timers for automatic renewal of certificates, this doesn't include the conversion of those files to the form Tomcat likes.
+While certbot sets up timers for automatic renewal of certificates, this doesn't include the conversion of those files to the form Tomcat likes. To do this we use a program called openssl to export the certificates. This needs to access the letsencrypt files, which are owned by root. Therefore to run the openssl command we need to use sudo. The openssl command generates a file in /tmp, which is also owned by root. We copy this into Tomcat and then delete that file in /tmp, which also requires sudo. Then, Tomcat needs
+to be restarted to use the new certificate.
-After a certificate has renewed, you can run the following to have
+You can set commands to be run before/after renewal using hook arguments to the certbot renew command. ([[https://eff-certbot.readthedocs.io/en/latest/using.html#renewing-certificates]]) Once certbot has renewed a certificate, what we need to do is shutdown Tomcat, convert the certificate, copy it in to Tomcat's area, then restart.
-The following are steps you can take for having this happen automatically.
-Tomcat, however, does not do this. We need to convert the letsencrypt certificates into a form that tomcat likes. To do this we use a program called openssl to export the certificates. This needs to access the letsencrypt files, which are owned by root. Therefore to run the openssl command we need to use sudo. The openssl command generates a file in /tmp, which is also owned by root. We copy this into Tomcat and then delete that file in /tmp, which also requires sudo.
+There is a script in Greenstone3 - ''ant-update-https-cert-and-restart.sh'' - which does these things. You can add this script as a deploy-hook. To get this added to the renewal options, run a forced renewal.
-   * You can set commands to be run before/after renewal using hook arguments. Once certbot has renewed a certificate, what we need to do is shutdown Tomcat, convert the certificate, copy it in to Tomcat's area, then restart. I have made a file at the top level: ant-update-https-cert-and-restart.sh, which does these things. I ran a forced-renewal with this script as a deploy-hook, and it was called after the renewal had succeeded. Yay.
-  *  You can see the options for a renewal at /etc/letsencrypt/renewal/sdl.sdb.org.conf. You can see in there that there is a renew-hook option set. (Not sure about the naming, when I ran it I used --deploy-hook option...)
-Renewal options stored in /etc/letsencrypt/renewal/DOMAIN.conf
+'' sudo certbot renew --deploy-hook <PATH-TO-GREENSTONE3>/ant-update-https-cert-and-restart.sh --force-renewal''
-If you re-run a renwal with --force-renewal, it will save your new options. Also, you can edit this file.
+You can see the options for a renewal at ''/etc/letsencrypt/renewal/<DOMAIN>.conf''. If you run a force-renewal it will save your new options.  Also, you can edit this file.
+Note, automatic running of this script requires some setup for sudo to be run with no password. See below.
-sudo certbot renew --deploy-hook /home/salesians/gs3-svn/ant-update-https-cert-and-restart.sh --http-01-port 80 --force-renewal
 === Getting things to run as sudo with no password ===
 There are two commands that need to be run as root - openssl converting the fullchain and key files into tomcats format (as letsencrypt files are owned by root), and the deleting of the root owned resultant file (we copy it into tomcat giving it local user ownership)
-Script convert-https-cert.sh runs the openssl command.
+Script ''convert-https-cert.sh'' runs the openssl command.
-We need to enable no password for this script and also for hte rm command.
+We need to enable no password for this script and also for the ''rm'' command.
+Edit the sudoers file (actually lets just edit a custom file in sudoers.d, so we are not mucking with the main file):
+''sudo visudo /etc/sudoers.d/custom''
-sudo visudo /etc/sudoers.d/custom
+<code>
+# allow running of Greenstone3's SSL certificate file conversion with no password
+%sudo ALL=(root) NOPASSWD: <PATH-TO-GREENSTONE3>/convert-https-cert.sh
+%sudo ALL=(root) NOPASSWD: /usr/bin/rm /tmp/<DOMAIN>_fullchain_and_key.p12
+</code>
-# allow running of a script with no password
+Substitute <PATH-TO-GREENSTONE3> and <DOMAIN> - the latter should be set to the value of tomcat.server in the build.properties.
-%sudo ALL=(root) NOPASSWD: /home/salesians/gs3-svn/convert-https-cert.sh
-%sudo ALL=(root) NOPASSWD: /usr/bin/rm /tmp/sdl.sdb.org_fullchain_and_key.p12