B4J Question [Solved] [ABMaterial] - using https (secure)

XbNnX_507 said:

Are you using java 8 or 9?

Click to expand...

Upgraded my server to openjdk 11 (headless). That was the only option I had.

Harris said:

Upgrade my server to openjdk 11 (headless). That was the only option I had.

Click to expand...

Ok, then i suppose you are using java 9 or openjdk 11 in your development machine b4j...
if so then you only need to generate the keystore and use it.
How are you generating the keystore?

XbNnX_507 said:

How are you generating the keystore?

Click to expand...

Explained previously in this thread... Then updated with help on a PM.

keytool -import -trustcacerts -alias root -file xxx.ca-bundle -keystore jetty.keystore

keytool -import -trustcacerts -alias jetty -file yyy.crt -keystore jetty.keystore

What says the logs B4J when you start the server?

XbNnX_507 said:

What says the logs B4J when you start the server?

Click to expand...

Before we go down this path, let me use your suggestion ( explorer - yet to see if it helps - if any or at all).

I have sprinkled Log() statements, and they say nothing out of the ordinary - when the app runs (which it doesn't since non-secure).
I posted previously an error in the logs - which makes absolutely no sense to me - since I can't see where it originated (waas not from a log() or lastexception message..

I had a problem with SSL on VPS on ABMaterial.
I did this:
1. I have generated my certifications according to https://www.b4x.com/android/forum/threads/server-ssl-connections.40130/#content
2. I used JAVA9 and the same versions on the VPS server for compilation.
3. I cached the certificate to the ABMaterial server and locally as well as online at VPS I had an unauthorized certificate. (port 433)
4. I have a free account on cloudflare.com, I slept there and I settled IP VPS. I turned on the proxy cloundflare and forced HTTPS with CF certificate.
5. The server now runs on trusted SSL CF. It loads very quickly through the proxy CF cache. I did not pay for SSL and ran several servers this way. In addition, we have hidden our IP VPS and secured server against DOS.

Maybe someone will use it.

Maybe we are getting somewhere?
Finally got this from SSLs.com after explaining (twice) what the issue was...
Apache SSL worked (always did). JAVA - Jetty did not... AND I needed a private key and a keystore...

If this doesn't work, I am returning the product (15 day money back) and going with the free (working) solutions...

Wish me luck!


Support via mtu5osii45tlgw7x.zcbjc.1n-2ljihuac.na78.bnc.salesforce.com
2:45 PM (3 hours ago)


to me



Hi,
Thank you for writing to us.
If that is the case, you can export the certificate as PFX file from the Apache server and then convert the PFX file to JKS (Java Keystore) and configure Java (Jetty) server.
In order to export the Certificate, Private Key and any intermediate certificate as a pfx file from the Apache server, use the command below:

- > openssl pkcs12 -export -in my.crt -inkey my.key -certfile my.bundle -out my.pfx

Note: Remember to change the names to match your file names!. And the PFX is a combination of both certificate (public) and private key.

After exporting the certificate as PFX file from Apache server, you can convert them as JKS (Java Keystore) and configure it on the new server.
https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000zFTb
Please let us know if you need any further support.

Regards,
Sectigo - Technical Support

With MANY Thanks to @OliverA , this issue has been resolved. I now have SSL on my VPS.
It was quite the process...

I shall provide a tutorial for everyone (mostly me - for the next time) to see how to accomplish this task.

Thanks to all for your input.

Harris said:

With MANY Thanks to @OliverA , this issue has been resolved. I now have SSL on my VPS.
It was quite the process...

I shall provide a tutorial for everyone (mostly me - for the next time) to see how to accomplish this task.

Thanks to all for your input.

Click to expand...

I will be one of those who will surely forget someone else (you) have gone through all this trouble, and will spend over a week and over 60 posts to get is done... And then find you post!

Harris said:

With MANY Thanks to @OliverA , this issue has been resolved. I now have SSL on my VPS.
It was quite the process...

I shall provide a tutorial for everyone (mostly me - for the next time) to see how to accomplish this task.

Thanks to all for your input.

Click to expand...

Did you ever do the tutorial ? I am currently trying to get it working(Windows), Using OpenJDK 11 and ABM with a keystore file.

Jmu5667 said:

Did you ever do the tutorial ? I am currently trying to get it working(Windows), Using OpenJDK 11 and ABM with a keystore file.

Click to expand...

I started and got lost within the documenting process. Like I stated, it was a complex endeavour.

However, I managed to get Let's Encrypt running, much easier following the tut's available here. The issue with it was it's short running time before renewal.
When I tried to renew it, it would always fail. It seems so simple, but I don't get it...

Harris said:

I started and got lost within the documenting process. Like I stated, it was a complex endeavour.

However, I managed to get Let's Encrypt running, much easier following the tut's available here. The issue with it was it's short running time before renewal.
When I tried to renew it, it would always fail. It seems so simple, but I don't get it...

Click to expand...

Thanks for the reply, as usual @OliverA came to the rescue. It's the renewal thing is a pain ,,,

Jmu5667 said:

Thanks for the reply, as usual @OliverA came to the rescue. It's the renewal thing is a pain ,,,

Click to expand...

If you get the renewal thing resolved, pls let me know. My SSL is on Linux.

Harris said:

If you get the renewal thing resolved, pls let me know. My SSL is on Linux.

Click to expand...

Will do !

This looks like a good tutorial: https://www.b4x.com/android/forum/threads/server-using-lets-encrypt-on-ubuntu-vps.124059/

It is indeed the renew part that is annoying. In short, this is what I did when I used to do it myself (we now use an external company to manage our servers):

The tricky part is using apache on the linux to receive your letsencrypt key files for your domain (it needs port 80/443) and NO B4J webapps running. You then receive 2 .pem files that you have to convert to a keystore file. I used https://www.dynu.com to register my domain and it had a DNS A-Record and Web Redirect to my home server's IP address.

1. install certbot

If you are running haproxy, make sure you disable it to:

2. get your .pem keys:

3. Pick option 3 (use a file)

4. Enter the full path to your apache www root (in my case it was)

Now a file will be created there and Letsectrypt must be able to download this file to verify this domain belongs to you.

5. You receive something like this if successful:

6. Make a pkcs12 file

7. Finally convert it to a keystore file

You can now also restart haproxy (if needed)

8. And start your B4J Server

Renew:

I always wanted to look into the Let's Encrypt alternative https://zerossl.com/, as it seems to have the possibility to use a REST API (zerossl itself is also free, but the use of the REST API is paying unfortunately).

Alwaysbusy

Yep, familiar with this tut you directed us to.

Installing was not an issue... updating was - when expired...
Seems this is THE problem with FREE ssl certs (Let's Encrypt)... Manual updating - when you discover it HAS expired.

Why there is not an automatic renewal for LE, I don't understand? I paid for an other SSL that was a pain to install - but would never expire...
I would pay for that (LE - auto renew - without me going insane).

I know this is not your issue to resolve.
@OliverA is the mastermind in this regard - but us mere mortals have much trouble comprehending - and repeating / renewal.

We shall overcome - lament....

The real problem is that these SSL folks/providers DID NOT use B4X to build their product(s).
If they had, no one would have any problem with any Java implementation (in my simple mind).

Hey @Erel , build one and I shall subscribe and pay....
Thanks

I guess a cron job should do the trick so it renews before it has expired. If the renew part of my answer is in a mycertbot.sh file, something like this (untested):


Make the script executable:

This code will run on every weekend at 3.00 am.

Alwaysbusy

alwaysbusy said:

I guess a cron job should do the trick so it renews before it has expired. If the renew part of my answer is in a mycertbot.sh file, something like this (untested):

B4X:

#!/bin/sh
pkill -9 -f yourb4xjarname.jar

sudo systemctl stop haproxy.service
cd certbot-auto
sudo ./certbot-auto renew
sudo openssl pkcs12 -export -out keystore.pkcs12 -in /etc/letsencrypt/live/mydomain.com/fullchain.pem -inkey /etc/letsencrypt/live/mydomain.com/privkey.pem
sudo keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks
sudo systemctl start haproxy.service

nohup path_to_java/bin/java -jar yourb4xjarname.jar > nohup.out &

Make the script executable:

B4X:

chmod +x /pathto/mycertbot.sh

This code will run on every weekend at 3.00 am.

B4X:

* 3 * * 6 /pathto/mycertbot.sh

Alwaysbusy

Click to expand...

What would that look like under Windows?

Harris said:

Yep, familiar with this tut you directed us to.

Installing was not an issue... updating was - when expired...
Seems this is THE problem with FREE ssl certs (Let's Encrypt)... Manual updating - when you discover it HAS expired.

Why there is not an automatic renewal for LE, I don't understand? I paid for an other SSL that was a pain to install - but would never expire...
I would pay for that (LE - auto renew - without me going insane).

I know this is not your issue to resolve.
@OliverA is the mastermind in this regard - but us mere mortals have much trouble comprehending - and repeating / renewal.

We shall overcome - lament....

The real problem is that these SSL folks/providers DID NOT use B4X to build their product(s).
If they had, no one would have any problem with any Java implementation (in my simple mind).

Hey @Erel , build one and I shall subscribe and pay....
Thanks

Click to expand...

I would pay for a solution for this.

Jmu5667 said:

What would that look like under Windows?

Click to expand...

No idea, never used a Webserver on Windows, always on Linux.

Harris said:

build one and I shall subscribe and pay

Click to expand...

I think the major problem here is the certificate has to be build on your server and domain so I don't see how one could make a 'service' out of that (well, except hosting also your webapps but then we are back to square one).

Alwaysbusy