Install SSL Certificate

From iDempiere en

Letsencrypt

You can use letsencrypt to generate a free certificate for your server.

The instruction to generate a certificate depends on your operating system and the http server used (or not used). Usually you can find precise instructions for your setup at https://certbot.eff.org/

This guide is about how to install the letsencrypt certificate into your iDempiere instance, instead of the self-signed certificate generated during setup.

First you need to run setup as usual. This generates a self-signed certificate in $IDEMPIERE_HOME/jettyhome/etc/keystore

After that you execute the following instructions to import the letsencrypt certificate here:

# Convert the certificate into a format Jetty can use
# execute as ROOT!!

# NOTE: the script assumes your iDempiere folder is /opt/idempiere-server, if you installed it elsewhere, then please change the path accordingly
export IDEMPIERE_HOME=/opt/idempiere-server
. $IDEMPIERE_HOME/utils/myEnvironment.sh server

# or set the variable ADEMPIERE_KEYSTOREPASS below
# ADEMPIERE_KEYSTOREPASS=myPassword
ADEMPIERE_KEYSTOREPASS=$( java -cp /opt/idempiere-server/plugins/org.eclipse.jetty.util_*.jar org.eclipse.jetty.util.security.Password "$ADEMPIERE_KEYSTOREPASS" |& sed -n 2p )
export ADEMPIERE_KEYSTOREPASS

# NOTE: if your hostname is not the same as the registered name for letsencrypt, then set it manually here:
export DOMAIN=`hostname`

mkdir -p /tmp/key
cd /tmp/key

openssl pkcs12 -passout env:ADEMPIERE_KEYSTOREPASS -export \
    -in /etc/letsencrypt/live/$DOMAIN/fullchain.pem \
    -inkey /etc/letsencrypt/live/$DOMAIN/privkey.pem \
    -out fullchain_and_key.p12 \
    -name idempiere

keytool -importkeystore -destkeystore keystore_le -srckeystore fullchain_and_key.p12 \
    -alias idempiere \
    -srcstorepass:env ADEMPIERE_KEYSTOREPASS \
    -deststorepass:env ADEMPIERE_KEYSTOREPASS -noprompt

keytool -import -destkeystore keystore_le \
    -file /etc/letsencrypt/live/$DOMAIN/chain.pem -alias root \
    -storepass:env ADEMPIERE_KEYSTOREPASS -noprompt

chown idempiere:idempiere keystore_le
cp -p keystore_le $IDEMPIERE_HOME/jettyhome/etc/keystore

rm -rf /tmp/key

Example using Comodo

During the installation of iDempiere, a self signed certificate is created and setup with tomcat server. This certificate is not authenticate with popular CA. It's common to buy a certificate from trusted CA and to replace it.

For test purpose, we use a free trial 90 day-version of comodo Free trial ssl

Step overview

Command is execute in folder [idempiere_root]/keystore

  • Create KeyStore
keytool -genkey -keyalg RSA -keysize 2048 -keystore domain.keystore 

this step is done during iDempiere installation.

Keystoresetup.jpg

Remember keystore password for later use

  • Create CSR file (for CA as comodo make certificate for you)

CSR Generation

keytool -certreq -keyalg RSA -file domain.csr -keystore myKeystore -alias idempiere
    • Keystore file of iDempiere is myKeystore
    • alias is iDempiere
  • upload file domain.csr to comodo, do flow guilder of comodo

you will receive a zip file containing the files below. Extract them to [idempiere_root]/keystore: file description

    • AddTrustExternalCARoot.crt (Root entity certificate)
    • COMODORSAAddTrustCA.crt (Intermediate entity certificate)
    • COMODORSADomainValidationSecureServerCA.crt (Intermediate entity certificate)
    • domain.crt (domain entity certificate)
keytool -import -trustcacerts -alias AddTrustExternalCARoot -file AddTrustExternalCARoot.crt -keystore myKeystore
keytool -import -trustcacerts -alias COMODORSAAddTrustCA -file COMODORSAAddTrustCA.crt -keystore myKeystore
keytool -import -trustcacerts -alias COMODORSADomainValidationSecureServerCA -file COMODORSADomainValidationSecureServerCA.crt -keystore myKeystore
keytool -import -trustcacerts -alias COMODORSADomainValidationSecureServerCA -file COMODORSADomainValidationSecureServerCA.crt -keystore myKeystore
keytool -import -trustcacerts -alias idempiere -file domain.crt -keystore myKeystore

Note: use correct alias value

  • Config jetty
file: %IDEMPIERE_HOME%\jettyhome\etc\jetty-ssl-context.xml
Line 8: replace "etc/keystore" to "etc/myKeystore" , save.
  • what next?

restart iDempiere and open it in your browser.

Sslresult.jpg
Cookies help us deliver our services. By using our services, you agree to our use of cookies.