Package edu.suffolk.litlab.efspserver.services.acme

Class AcmeRenewal

java.lang.Object
edu.suffolk.litlab.efspserver.services.acme.AcmeRenewal
public class AcmeRenewal extends Object
Handles Renewing the Server's HTTPS / TLS certificates using the ACME protocol.

The full process is as follows:

  1. if not already present make a user public/private key pair (i.e. you, the org running the site)
  2. if not already present make a domain public/private key pair (specific to this site's domain)/
  4. make a Certificate signing request (CSR) and send to let's encrypt
  5. in the background, it also creates a special token that is available at a URL path known to Let's Encrypt that they use to verify we have control of the website at that domain
  6. get back a certificate chain (*.crt) from let's encrypt, showing that our domain public key is the approved key for our given domain
  7. save the domain private key and the *.crt as a Java Key Store (JKS) file. This is used by our server to serve the REST API over HTTPS

  • Constructor Details

    • AcmeRenewal

      public AcmeRenewal()

  • Method Details

    • fetchCertificate

      public void fetchCertificate(Collection<String> domains, AcmeChallengePublisher publisher, String certPassword, String email) throws IOException, org.shredzone.acme4j.exception.AcmeException
      Throws:
      IOException
      org.shredzone.acme4j.exception.AcmeException

    • findOrRegisterAccount

      public org.shredzone.acme4j.Account findOrRegisterAccount(org.shredzone.acme4j.Session session, KeyPair accountKey, String email) throws org.shredzone.acme4j.exception.AcmeException
      Throws:
      org.shredzone.acme4j.exception.AcmeException

    • convertPEMToJKS

      public static byte[] convertPEMToJKS(File keyFile, File certFile, String password) throws NoSuchAlgorithmException, IOException, InvalidKeySpecException, CertificateException, KeyStoreException
      Converts certificate information from Let's Encrypt (plus our domain private key file) into a java key store.

      NOTE(brycew): keytool (since Java 9) says that "The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format". However, for some reason the TLS for the site won't work with PKCS (even when using pre-signed namecheap certs, so it's not a new letsencrypt thing). Not sure how to progress.

      From https://stackoverflow.com/a/58426371/11416267

      Throws:
      NoSuchAlgorithmException
      IOException
      InvalidKeySpecException
      CertificateException
      KeyStoreException

    • main

      public static void main(String... args) throws IOException, org.shredzone.acme4j.exception.AcmeException
      Can be run on it's own: writes the token content to be used in two different files that are independently read by the Acme service.

      Run with 

       java -cp efspserver-with-deps.jar edu.suffolk.litlab.efspserver.services.acme.AcmeRenewal renew
      Throws:
      org.shredzone.acme4j.exception.AcmeException
      IOException