B4J Tutorial [Server] Using Let's Encrypt on Ubuntu VPS

Spoiler: Intro

So I have created a few JRDC2 apps. I put them on a VPS as live demo. It is running on Ubuntu 18.04 64 bit. Today I wanted to make the app more secure by enabling SSL certificate. I have chosen to use Let's Encrypt. There are many tutorials here but I am confused with the steps. Especially for people who are not familiar with Linux path and commands.
The steps explained in http://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Generating_Keys_and_Certificates_with_JDK_keytool (updated link: Generating Key Pairs and Certificates) is confusing and I have read many times tried to understand which parts are required. After spending a few hours, I have finally able to put all the puzzles together.

To summarize what I have learned,
I can enable SSL (or https in the URL) in my app without purchasing an SSL certificate (since my app is for demo/testing purpose and not considered critical). Let's Encrypt is a popular choice. I found it is easy to install on Ubuntu. Once installed, my website is now SSL enabled (served by Apache on port 80).

#1 How to: Install Let's Encrypt on Ubuntu Linux VPS to Create SSL Certificates

Downloading and Installing Let's Encrypt
1. Update the server's packages

apt-get update & sudo apt-get upgrade

2. Install the GIT package

apt-get install git

3. Download a clone of Let's Encrypt from the GitHub repository to /opt

git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

4. Navigate to the new /opt/letsencrypt directory

cd /opt/letsencrypt

Creating an SSL Certificate
1. Run Let's Encrypt (api.puterise.com is my domain)*

./letsencrypt-auto certonly --standalone -d api.puterise.com

2. Follow the steps
3. Agree to the Terms of Service
4. If everything worked properly, you should receive a message similar to the following

IMPORTANT NOTES:
- If you lose your account credentials, you can recover them through e-mails sent to somebody@example.com.
- Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/api.puterise.com/fullchain.pem. Your cert will expire on 2021-01-31. To obtain a new version of the certificate in the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Let's Encrypt, so making regular backups of this folder is ideal.
- If you like Let's Encrypt, please consider supporting our work by
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Now, to make it work on B4J JRDC2 app:

#2 How to use Letsencrypt certificate & private key with Jetty (xkr47/letsencrypt-jetty.sh)

root@computer:/etc/letsencrypt/live/api.puterise.com# openssl pkcs12 -export -out keystore.pkcs12 -in fullchain.pem -inkey privkey.pem

root@computer:/etc/letsencrypt/live/api.puterise.com# keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks

root@computer:/etc/letsencrypt/live/api.puterise.com# rm keystore.pkcs12

Enter and verify the source and destination password.

Now I can use the keystore file in B4J server code.

ssl.SetKeyStorePath("/etc/letsencrypt/live/api.puterise.com", "keystore.jks") 'path to keystore file

Conclusion:
The above steps explained how I can enable SSL in hosted VPS server with certificates already generated by Let's Encrypt.
For local development machine, it is easier to follow the steps to generate the keystore file from Generating Key Pairs and Certificates.

#If RELEASE
ssl.SetKeyStorePath("/etc/letsencrypt/live/api.puterise.com", "keystore.jks") 'path to keystore file
#Else
ssl.SetKeyStorePath("C:\SSL", "jetty.keystore") 'path to keystore file
#End If

 

[yfleury]

I try this

root@vps-7a1ecfb2:/opt/letsencrypt/letsencrypt-auto-source# sudo apt install certbot
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  python-pyicu python3-acme python3-certbot python3-configargparse python3-future python3-josepy python3-mock
  python3-openssl python3-parsedatetime python3-pbr python3-requests-toolbelt python3-rfc3339 python3-setuptools
  python3-tz python3-zope.component python3-zope.event python3-zope.hookable python3-zope.interface
Suggested packages:
...
...
Setting up python3-certbot (0.31.0-1+deb10u1) ...
Setting up certbot (0.31.0-1+deb10u1) ...
Created symlink /etc/systemd/system/timers.target.wants/certbot.timer → /lib/systemd/system/certbot.timer.

and this

root@vps-7a1ecfb2:/opt/letsencrypt/letsencrypt-auto-source# ./letsencrypt-auto certonly --standalone -d reseau-municipal.ca
Skipping bootstrap because certbot-auto is deprecated on this system.
Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.
Please visit https://certbot.eff.org/ to check for other alternatives.

list file in folder /opt/letsencrypt/

root@vps-7a1ecfb2:/opt/letsencrypt# ls
acme                        certbot-dns-gehirn       CHANGELOG.md             pytest.ini
AUTHORS.md                  certbot-dns-google       CODE_OF_CONDUCT.md       README.rst
certbot                     certbot-dns-linode       CONTRIBUTING.md          SECURITY.md
certbot-apache              certbot-dns-luadns       docker-compose.yml       snap
certbot-ci                  certbot-dns-nsone        Dockerfile-dev           tests
certbot-compatibility-test  certbot-dns-ovh          letsencrypt-auto-source  tools
certbot-dns-cloudflare      certbot-dns-rfc2136      letstest                 tox.cover.py
certbot-dns-digitalocean    certbot-dns-route53      LICENSE.txt              tox.ini
certbot-dns-dnsimple        certbot-dns-sakuracloud  linter_plugin.py         windows-installer
certbot-dns-dnsmadeeasy     certbot-nginx            mypy.ini

I can't run b4j webserver in secure

 

[aeric]

Snap is the recommended way to install Certbot but I didn't get it to install previously (due to my VM doesn't support Snap). I am bias and dislike Snap. However, you may try and see if it works for you.

Alternative way is to use Pip. I haven't tried it but if Snap doesn't work for you or you want to skip it, give it a try.
https://certbot.eff.org/instructions?ws=other&os=pip

I am not familiar with Docker but you can give it a try too if all the ways above failed.

 

[Sandman]

Just a note, there's nothing special with certbot. There are lots of alternatives available: https://letsencrypt.org/docs/client-options/

I use Lego, and find it very good. More info about that client at https://go-acme.github.io/lego/ and https://github.com/go-acme/lego.

 

[aeric]

Just a note, there's nothing special with certbot. There are lots of alternatives available: https://letsencrypt.org/docs/client-options/

I use Lego, and find it very good. More info about that client at https://go-acme.github.io/lego/ and https://github.com/go-acme/lego.

I prefer to use apt-get for Debian or Ubuntu.

sudo apt-get update -y
sudo apt-get install -y lego

 

[Sandman]

Me too.