There are two main ways of running Greenstone 3 using HTTPS:

• [Preferred] Running an Apache server configured to support HTTPS, and reverse proxying the Tomcat server
• Setting up Tomcat to run using HTTPS

A

To have your webserver running under https, you need an SSL certificate. Many hosting platforms have tools to let you use HTTPS. See https://certbot.eff.org/hosting_providers to check your hosting provider.

If yours doesn't, an easy way of getting an SSL certificate, which is free, is to use certbot and LetsEncrypt. Certbot https://certbot.eff.org/ is a free, open source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS. LetsEncrypt is a free, automated, and open Certificate Authority. About Certbot

You will need to install certbot - follow the instructions at https://certbot.eff.org/instructions Take note of the "What you need" section. Then, choose your webserver ('apache' or 'other' for Tomcat) and operating system, and it will give you instructions to install certbot, plus also instructions to run it to get certificates.

Once you have certbot installed, if you are using Apache, you can run

• sudo certbot –apache - this will generate the certificates, plus also setup Apache configuration to use them.
• sudo certbot certonly - will generate the certificates, but do no configuration in Apache - you will need to do that yourself.

If you are adding https support to Tomcat, you can use the Greenstone ant targets to generate the certificates, plus then convert them and setup Tomcat configuration to use them.

• ant setup-https-cert - this will obtain the certificates from LetsEncrypt, and put them into Tomcat's conf folder.
• ant renew-existing-https-cert - to run the renewal command and reinstall them into Tomcat.

The SSL certificates are installed into /etc/letsencrypt/live/<tomcat.server>

Once you use certbot to obtain certificates, it sets up a systemd timer (or cronjob) to automatically renew them every 60 days. You shouldn't need to re-run certbot unless your settings have changed. Note, if your port 80 is not open by default, and you opened it just for generating the initial certificates, this renewal won't work. You'll need to open up port 80, and run

• sudo certbot renew.

Note, if you are using Tomcat directly, then you will need to manually install the certificate into Tomcat. Or follow the instructions below for making that happen automatically.

sudo systemctl list-timers - to view systemd timers. The certbot timer 'snap.certbot.renew.timer' will activate the service snap.certbot.renew.service

The timer itself is in /etc/systemd/system/snap.certbot.renew.timer By default this runs twice a day snap.certbot.renew.service. This looks at all certificates and determines if they need renewal - by default, anything that is expiring within 30 days.

Viewing the timer: sudo systemctl cat snap.certbot.renew.timer

Editing it: sudo systemctl edit snap.certbot.renew.timer This just creates an override file.

Eg if you want to change the timing, OnCalendar is cumulative. So need to set it to empty first, then add the new one

OnCalendar=
OnCalendar=*-*-* 15:17

sudo systemctl status snap.certbot.renew.timer - I think will show if there is an override file being used.

While certbot sets up timers for automatic renewal of certificates, this doesn't include the conversion of those files to the form Tomcat likes. The following are steps you can take for having this ahppen automatically.