There are two main ways of running Greenstone 3 using HTTPS:
Install and setup Apache with certbot SSL certificates. Then in the le-ssl.conf file (eg /etc/httpd/sites-enabled/000-defualt-le-ssl.conf) add teh following into the <VirtualHost *:443> node:
ProxyPass /greenstone3 http://localhost:8383/greenstone3
ProxyPassReverse /greenstone3 http://localhost:8383/greenstone3
<Location /greenstone3>
ProxyPassReverseCookiePath /greenstone3 /greenstone3
</Location>
ProxyPass /webswing-server/ http://localhost:8383/webswing-server/ upgrade=websocket
In build.properties, you will need to set the revproxy settings:
revproxy.protocol=https revproxy.domain=<DOMAIN> ##revproxy.opt_port=8080 - this can stay commented out if you don't want a port number to appear in the public URL ##revproxy.context=/greenstone3 - this can stay commented out if you are using the same context as greenstone3.context
To have your webserver running under https, you need an SSL certificate. Many hosting platforms have tools to let you use HTTPS. See https://certbot.eff.org/hosting_providers to check your hosting provider.
If yours doesn't, an easy way of getting an SSL certificate, which is free, is to use certbot and LetsEncrypt. Certbot https://certbot.eff.org/ is a free, open source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS. LetsEncrypt is a free, automated, and open Certificate Authority. About Certbot
You will need to install certbot - follow the instructions at https://certbot.eff.org/instructions Take note of the "What you need" section. Then, choose your webserver ('apache' or 'other' for Tomcat) and operating system, and it will give you instructions to install certbot, plus also instructions to run it to get certificates.
Port 80 must be open to obtain and renew a certificate.
Once you have certbot installed, if you are using Apache, you can run
sudo certbot –apache - this will generate the certificates, plus also setup Apache configuration to use them.sudo certbot certonly - will generate the certificates, but do no configuration in Apache - you will need to do that yourself.If you are adding https support to Tomcat, you can use the Greenstone ant targets to generate the certificates, plus then convert them and setup Tomcat configuration to use them.
ant setup-https-cert - this will obtain the certificates from LetsEncrypt, and put them into Tomcat's conf folder.ant renew-existing-https-cert - to run the renewal command and reinstall them into Tomcat.The SSL certificates are installed into /etc/letsencrypt/live/<tomcat.server>
Once you use certbot to obtain certificates, it sets up a systemd timer (or cronjob) to automatically renew them every 60 days. You shouldn't need to re-run certbot unless your settings have changed.
If you are using Apache, you won't need to do anything else, as it links directly to the live certificates. If you are using Tomcat directly with HTTPS, then you will need to manually install the certificate into Tomcat or follow the instructions for making that happen automatically. See below.
Note, if your port 80 is not open by default, and you opened it just for generating the initial certificates, this renewal won't work. You'll need to open up port 80, and run
sudo certbot renew.
You can also run sudo certbot renew –dry-run to test if the renewal will work, without actually renewing the certificate.
If your renewal has failed, you will get an email telling you this.
To check the logs: sudo ls /var/log/letsencrypt
You can look at the latest one: sudo less /var/log/letsencrypt/letsencrypt.log
The log will tell you eg that your renewal had failed bacuse it couldn't access port 80. Or whatever the error was.
sudo systemctl list-timers - to view systemd timers. The certbot timer 'snap.certbot.renew.timer' will activate the service snap.certbot.renew.service
The timer itself is in /etc/systemd/system/snap.certbot.renew.timer
By default this runs twice a day snap.certbot.renew.service.
This looks at all certificates and determines if they need renewal - by default, anything that is expiring within 30 days.
Viewing the timer:
sudo systemctl cat snap.certbot.renew.timer
Editing it:
sudo systemctl edit snap.certbot.renew.timer
This just creates an override file.
Eg if you want to change the timing, OnCalendar is cumulative. So need to set it to empty first, then add the new one
OnCalendar= OnCalendar=*-*-* 15:17
sudo systemctl status snap.certbot.renew.timer - I think will show if there is an override file being used.
Greenstone provides some ant targets to help you set up Tomcat with HTTPS.
setup-https-cert - will run certbot to generate a certificate. certbot doesn't generate files in a form that Tomcat likes, so this will run an extra step of converting the files to Tomcat's preferred version, and installing them into Tomcat.renew-existing-https-cert - will run the certbot renew command, and then do the conversion.install-https-cert-linux - will just run the conversion step to get an existing certificate into Tomcat - run this once your certificate has renewed automatically.install-https-cert-linux-nopwd - as above, but is set up so that you can automate this. See below.While certbot sets up timers for automatic renewal of certificates, this doesn't include the conversion of those files to the form Tomcat likes. To do this we use a program called openssl to export the certificates. This needs to access the letsencrypt files, which are owned by root. Therefore to run the openssl command we need to use sudo. The openssl command generates a file in /tmp, which is also owned by root. We copy this into Tomcat and then delete that file in /tmp, which also requires sudo. Then, Tomcat needs to be restarted to use the new certificate.
You can set commands to be run before/after renewal using hook arguments to the certbot renew command. (https://eff-certbot.readthedocs.io/en/latest/using.html#renewing-certificates) Once certbot has renewed a certificate, what we need to do is shutdown Tomcat, convert the certificate, copy it in to Tomcat's area, then restart.
There is a script in Greenstone3 - ant-update-https-cert-and-restart.sh - which does these things. You can add this script as a deploy-hook. To get this added to the renewal options, run a forced renewal.
sudo certbot renew –deploy-hook <PATH-TO-GREENSTONE3>/ant-update-https-cert-and-restart.sh –force-renewal
You can see the options for a renewal at /etc/letsencrypt/renewal/<DOMAIN>.conf. If you run a force-renewal it will save your new options. Also, you can edit this file.
Note, automatic running of this script requires some setup for sudo to be run with no password. See below.
There are two commands that need to be run as root - openssl converting the fullchain and key files into tomcats format (as letsencrypt files are owned by root), and the deleting of the root owned resultant file (we copy it into tomcat giving it local user ownership)
Script convert-https-cert.sh runs the openssl command.
We need to enable no password for this script and also for the rm command.
Edit the sudoers file (actually lets just edit a custom file in sudoers.d, so we are not mucking with the main file):
sudo visudo /etc/sudoers.d/custom
# allow running of Greenstone3's SSL certificate file conversion with no password %sudo ALL=(root) NOPASSWD: <PATH-TO-GREENSTONE3>/convert-https-cert.sh %sudo ALL=(root) NOPASSWD: /usr/bin/rm /tmp/<DOMAIN>_fullchain_and_key.p12
Substitute <PATH-TO-GREENSTONE3> and <DOMAIN> - the latter should be set to the value of tomcat.server in the build.properties.