B4J Tutorial [Server] Using Let's Encrypt on Ubuntu VPS

So I have created a few JRDC2 apps. I put them on a VPS as live demo. It is running on Ubuntu 18.04 64 bit. Today I wanted to make the app more secure by enabling SSL certificate. I have chosen to use Let's Encrypt. There are many tutorials here but I am confused with the steps. Especially for people who are not familiar with Linux path and commands.
The steps explained in http://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Generating_Keys_and_Certificates_with_JDK_keytool (updated link: Generating Key Pairs and Certificates) is confusing and I have read many times tried to understand which parts are required. After spending a few hours, I have finally able to put all the puzzles together.

To summarize what I have learned,
I can enable SSL (or https in the URL) in my app without purchasing an SSL certificate (since my app is for demo/testing purpose and not considered critical). Let's Encrypt is a popular choice. I found it is easy to install on Ubuntu. Once installed, my website is now SSL enabled (served by Apache on port 80).

#1 How to: Install Let's Encrypt on Ubuntu Linux VPS to Create SSL Certificates

Downloading and Installing Let's Encrypt
1
. Update the server's packages
Bash:
apt-get update & sudo apt-get upgrade
2. Install the GIT package
Bash:
apt-get install git
3. Download a clone of Let's Encrypt from the GitHub repository to /opt
Bash:
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
4. Navigate to the new /opt/letsencrypt directory
Bash:
cd /opt/letsencrypt
Creating an SSL Certificate
1
. Run Let's Encrypt (api.puterise.com is my domain)*
Bash:
./letsencrypt-auto certonly --standalone -d api.puterise.com
2. Follow the steps
3. Agree to the Terms of Service
4. If everything worked properly, you should receive a message similar to the following
IMPORTANT NOTES:
- If you lose your account credentials, you can recover them through e-mails sent to somebody@example.com.
- Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/api.puterise.com/fullchain.pem. Your cert will expire on 2021-01-31. To obtain a new version of the certificate in the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Let's Encrypt, so making regular backups of this folder is ideal.
- If you like Let's Encrypt, please consider supporting our work by
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le


Now, to make it work on B4J JRDC2 app:

#2 How to use Letsencrypt certificate & private key with Jetty (xkr47/letsencrypt-jetty.sh)

Bash:
root@computer:/etc/letsencrypt/live/api.puterise.com# openssl pkcs12 -export -out keystore.pkcs12 -in fullchain.pem -inkey privkey.pem
Bash:
root@computer:/etc/letsencrypt/live/api.puterise.com# keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks
Bash:
root@computer:/etc/letsencrypt/live/api.puterise.com# rm keystore.pkcs12
Enter and verify the source and destination password.

1604094103505.png

Now I can use the keystore file in B4J server code.
B4X:
ssl.SetKeyStorePath("/etc/letsencrypt/live/api.puterise.com", "keystore.jks") 'path to keystore file


Conclusion:
The above steps explained how I can enable SSL in hosted VPS server with certificates already generated by Let's Encrypt.
For local development machine, it is easier to follow the steps to generate the keystore file from Generating Key Pairs and Certificates.

1604094565572.png


B4X:
#If RELEASE
ssl.SetKeyStorePath("/etc/letsencrypt/live/api.puterise.com", "keystore.jks") 'path to keystore file
#Else
ssl.SetKeyStorePath("C:\SSL", "jetty.keystore") 'path to keystore file
#End If
 

aeric

Expert
Licensed User
Longtime User
Using self signed certificates (generated by keytool or openssl) in localhost causing my client B4X apps unable to connect using OKHttp so I gave up and just use normal http connection.
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

To avoid the above errors, I only use SSL during production with Let's Encrypt.
B4X:
#If RELEASE
    Dim ssl As SslConfiguration
    ssl.Initialize  
    ssl.SetKeyStorePath("/etc/letsencrypt/live/api.puterise.com", "keystore.jks") 'path to keystore file
    ssl.KeyStorePassword = "keystorepassword"
    'ssl.KeyManagerPassword = "passwordkeystore"
    srvr.SetSslConfiguration(ssl, SslPort)
    'add filter to redirect all traffic from http to https (optional)
    srvr.AddFilter("/*", "HttpsFilter", False)
#End If
 
Last edited:

tchart

Well-Known Member
Licensed User
Longtime User
@aeric have you looked at certbot? https://certbot.eff.org/

I use this as it sends reminders when the cetificate is about to expire.

Steps are pretty simple too;

Bash:
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo apt-get update

sudo apt-get install certbot

certbot certonly --standalone

Follow the prompts, use a real email as it will remind you when the cert is about to expire.

Then to renew just run this;

Bash:
cerbot renew

The renew command is great as you can run it as often as you want and it will only renew when its time - so for example you can run this on startup of your server.

To convert to a Java keystore I use this script (run from my app directory - note this replaces the entire keystore);

Bash:
rm jetty.keystore

# convert certificate chain + private key to the PKCS#12 file format
openssl pkcs12 -export -out keystore.pkcs12 -in /etc/letsencrypt/live/yourdomain.com/fullchain.pem -inkey /etc/letsencrypt/live/yourdomain.com/privkey.pem -name jetty -passout pass:keystorepassword

# convert PKCS#12 file into Java keystore format
/opt/jdk/jdk-11.0.2/bin/keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore jetty.keystore -storepass keystorepassword -srcstorepass keystorepassword

# don't need the PKCS#12 file anymore
rm keystore.pkcs12
 

TILogistic

Expert
Licensed User
Longtime User
Other for Cpanel VPS :


If you don't have cpanel install webadmin:

 

aeric

Expert
Licensed User
Longtime User
I forgotten to renew the certificate. It has expired today. So now I am trying to renew.
Installing certbot in Ubuntu 18.04 (using snap).
Bash:
root@computerise:~# sudo snap install certbot --classic
error: system does not fully support snapd: cannot mount squashfs image using
       "squashfs": mount: /tmp/sanity-mountpoint-561435955: mount failed:
       Operation not permitted.

It says that Ubuntu 18.04 should already have snap but it turned out that the version I installed in the VPS doesn't have snap. (Snap is actually installed but not working)
Bash:
$ sudo apt update
$ sudo apt install snapd
Try again but still the same error.

Trying to update linux kernel. (this step is unnecessary)
https://dausruddin.com/ubuntu-syste...d-cannot-mount-squashfs-image-using-squashfs/
Bash:
$ sudo apt install linux-image-generic-hwe-18.04 linux-headers-generic-hwe-18.04
Bash:
$ sudo reboot
Not success in updating the kernel 5.0.4. Tried install other kernels. (this step is unnecessary)

Update linux kernel using "traditional way" (this step is unnecessary)
https://hostadvice.com/how-to/how-to-update-and-upgrade-your-linux-kernel/
Bash:
$ uname -sr
$ sudo apt-get update
$ sudo apt-get dist-upgrade

Try again but still not get it to work with snap. Then I found:
https://community.letsencrypt.org/t...-mount-squashfs-image-using-squashfs/132689/6
Bash:
$ sudo systemd-detect-virt
openvz
Meaning my VM is not supported.

Install certbot (without snap)
Bash:
$ sudo apt install certbot
Installation done.

Bash:
$ ./letsencrypt-auto certonly --standalone -d api.puterise.com
Upgrading certbot-auto 1.9.0 to 1.11.0...
Replacing certbot-auto...
Your system is not supported by certbot-auto anymore.
Certbot will no longer receive updates.
Please visit https://certbot.eff.org/ to check for other alternatives.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for api.puterise.com
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

So, now there is a problem with apache.
Bash:
Problem binding to port 80: Could not bind to IPv4 or IPv6.

Solution: https://community.letsencrypt.org/t...lugin-does-not-appear-to-be-installed/95682/2
Bash:
$ sudo apt-get update
$ sudo apt-get install python-certbot-apache
$ sudo service apache2 start

Try renew again:
Bash:
$ certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/api.puterise.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Attempting to parse the version 1.9.0 renewal configuration file found at /etc/letsencrypt/renewal/api.puterise.com.conf with version 0.27.0 of Certbot. This might not work.
Cert is due for renewal, auto-renewing...
/etc/letsencrypt/options-ssl-apache.conf has been manually modified; updated file saved to /usr/lib/python3/dist-packages/certbot_apache/options-ssl-apache.conf. We recommend updating /etc/letsencrypt/options-ssl-apache.conf for security purposes.
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for api.puterise.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/api.puterise.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/api.puterise.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

taada...
Now restart my B4J server apps.
 
Last edited:

OliverA

Expert
Licensed User
Longtime User
Now restart my B4J server apps
You’ll have to recreate your keystore file. Otherwise the jServer will not use the new certificate
 

OliverA

Expert
Licensed User
Longtime User

aeric

Expert
Licensed User
Longtime User
certbot-auto has been deprecated. See: https://certbot.eff.org/lets-encrypt/ubuntubionic-other. Looks like the new certbot has some pre and post hooks that could be used to
pre-hook: stop jServer
post-hook: create/update keystore and start jServer
Unfortunately the VPS image I am using does not support update to latest version. Until it stops working one day, I just leave it first. The purpose of the VPS is just for my experiment and demo. It is the cheapest VPS hosting package with very minimum specs. If one day I need a real production server, I will take note on this. Thanks. :)
 

OliverA

Expert
Licensed User
Longtime User
Unfortunately the VPS image I am using does not support update to latest version
What version are you looking for? For 18.0.5 LTS it seems to be 0.27 (that's what I have running). I use it to renew (manually) my certs. I just tried
Bash:
sudo certbot renew --dry-run
and it works fine
 

aeric

Expert
Licensed User
Longtime User
What version are you looking for? For 18.0.5 LTS it seems to be 0.27 (that's what I have running). I use it to renew (manually) my certs. I just tried
Bash:
sudo certbot renew --dry-run
and it works fine

My certbot is still working. It just prompt me that it might not working...

Attempting to parse the version 1.9.0 renewal configuration file found at /etc/letsencrypt/renewal/api.puterise.com.conf with version 0.27.0 of Certbot. This might not work.
Cert is due for renewal, auto-renewing...
 

OliverA

Expert
Licensed User
Longtime User
That (the updated config file) may have happened when you tried to upgrade it via snap (instead of just letting apt-get do it).
 

ilan

Expert
Licensed User
Longtime User
very nice tutorial thanx aeric.
i have a server running on a google cloud VM instance running Debian 10. i managed to create an SSL certificate from let's encrypt using certbot. everything works fine. if i enter the site from my mobile phone I see the lock left to my domain and also at home but at my work i get a security warning "NOT SECURE". what could be the reason? it may be the firewall security at my work but why can i access other websites over HTTPS like b4x and much more? could it be that the lets encrypt certificate is not good enough?
 

aeric

Expert
Licensed User
Longtime User
very nice tutorial thanx aeric.
i have a server running on a google cloud VM instance running Debian 10. i managed to create an SSL certificate from let's encrypt using certbot. everything works fine. if i enter the site from my mobile phone I see the lock left to my domain and also at home but at my work i get a security warning "NOT SECURE". what could be the reason? it may be the firewall security at my work but why can i access other websites over HTTPS like b4x and much more? could it be that the lets encrypt certificate is not good enough?
I don’t think this is because let’s encrypt is not good enough. Have you try restart the browser because I suspect the browser is loading old cache. Refresh and click the “i” near the lock and see is the certificate is valid.
 

yfleury

Active Member
Licensed User
Longtime User
./letsencrypt-auto certonly --standalone -d reseau-municipal
Skipping bootstrap because certbot-auto is deprecated on this system.
Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.
Please visit https://certbot.eff.org/ to check for other alternatives.
 

yfleury

Active Member
Licensed User
Longtime User
Just for the followers, remove $ sign
B4X:
sudo apt install certbot
 
Top