Creating Let's Encrypt SSL Certificates on Ubuntu 22.

04 lts
for OpenMeetings 7.1.0

These SSL certificates are for can run OpenMeetings 7.1.0 as “https”.

If you didn't have it installed you can directly download the installation tutorial from here:

Download Installation OpenMeetings 7.1.0 on Ubuntu 22.04 lts

I thank Maxim Solodovnik and Carlos Heras, without whose collaboration in the trials practices
could not have confirmed the proper functioning and thus be able to publish the present tutorial.

I also thank all those who have contributed such as Marcus Schulz and Daniel Baker.
Thanks to all them.

Starting…

1)
------ Creating SSL Let´s Encrypt certificates ------

Install certbot, needed to build the certificates:

sudo apt install certbot

 Pag 1

It is important that your pc-server does not have port 80 in use with some web server or some
other. If so, stop it and continue with this step. When the certificates are completed, you can
throw it again.

Let´s Encrypt validate “SSL Certificate Authority (CA)” of your domain.

We'll run it with the --standalone parameter, so you can add each domain at the end requires a
certificate, for exemple: -d newexemple.com
Change "exemple.com" to the true domain of your server:

sudo certbot certonly --standalone -d exemple.com -d www.exemple.com

# You will be asked for an admin email address. Put a real one to get you keep you informed about
certificates:

Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): ...here your mail address and press Enter

# Ask if you agree:

----------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
----------------------------------------
(A)gree/(C)ancel: ...type... a ...and press Enter

# Ask if you want to share your email address:

----------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
----------------------------------------
(Y)es/(N)o: ...type... n ...and press Enter

when you finish making the certificates successfully, it will show the following:
 Pag 2

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/your_domain/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/your_domain/privkey.pem
Your cert will expire on 2020-06-24. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew *all* of your
certificates, run "letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate

Donating to EFF: https://eff.org/donate-le

2)
------ Checking domain certificates ------

We´ll see where are stored the certificates we just create, that in our case will be at
/etc/letsencrypt/live:

sudo ls /etc/letsencrypt/live

...will show your domain name: your_domain

All domains that you specified in the previous step will be located in the same
certificate.

3)
------ Renewing the SSL certificate ------

The Let's Encrypt certificate has an drawback, and is that it is valid only 90 days, so we're going to
have to renew it. Remember to open port 80.

We can do this manually (always connected to Internet):

sudo certbot renew

...or we can do it automatically by adding the bottom line to the cron so that every Sunday check if
the certificate needs to be renewed and do so if necessary:

sudo crontab -e

...it will show several editors to choose from:

 Pag 3

Select an editor. To change later, run 'select-editor'.

1. /bin/nano <---- easiest
2. /usr/bin/vim.tiny
3. /bin/ed

Choose 1-3 [1]: ...press Enter to select nano editor

...and at the end of the file we paste the line below:

30 2 * * 1 certbot renew --quiet

...exit the nano editor by pressing the Ctrl+x keys, ask if you save and press Y and then Enter to
exit.

4)
------ Configuring Tomcat-OpenMeetings with SSL certificates ------

These steps 3 and 4, must be repeated every 80 days, as it is 90 Let´s Encrypt's valid days.

I followed the OM installation path that show the OpenMeetings tutorials that are
found on their official wiki site. I mean /opt/open710.

If you had done the installation on a different path, modify what you indicate below.
We already made the letsencrypt certificates for our domain in step 1.
Now let's create a PKCS12 that contains the full chain and the private one. It is necessary to have
installed openssl. We install it if not:

sudo apt install openssl

Now run the following command:

(Only one line with space between each of them)

sudo openssl pkcs12 -export -out /tmp/example.com_fullchain_and_key.p12

-in /etc/letsencrypt/live/example.com/fullchain.pem
-inkey /etc/letsencrypt/live/example.com/privkey.pem -name tomcat

…replace example.com with your true domain (the same as when we made letsencrypt certificates)
...will ask for a password. Type one that you likes and paste in a text file (will need now)

And now convert that PKCS12 to JKS file using java keytool:

(Only one line with space between each of them)

 Pag 4

sudo keytool -importkeystore -deststorepass samplePassword -destkeypass samplePassword

-destkeystore /tmp/example.com.jks -srckeystore /tmp/example.com_fullchain_and_key.p12
-srcstoretype PKCS12 -srcstorepass samplePassword -alias tomcat

…replace example.com with your true domain (twice), and samplePassword (three times) with
the password you just choosed (it you pasted in a text file).

Copy the generated example.com.jks file to the Tomcat-OpenMeetings installation directory:

sudo cp /tmp/example.com.jks /opt/open710/conf

…replace example.com with your true domain.

# Configure Tomcat-OpenMeetings with the Java Keystore that we generated..

For that edit server.xml file:

sudo nano /opt/open710/conf/server.xml

...let's go to the block:

<Connector port="5443" protocol="org.apache.coyote.http11.Http11NioProtocol"

maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost.jks"
certificateKeystorePassword="openmeetings"
certificateKeystoreType="JKS"
certificateVerification="false"
sslProtocol="TLS"
type="RSA" />
</SSLHostConfig>

...and we modified it by leaving it like this:

<Connector port="5443" protocol="org.apache.coyote.http11.Http11NioProtocol"

maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/example.com.jks"
certificateKeystorePassword="samplePassword"
certificateKeystoreType="JKS"
certificateVerification="false"
sslProtocol="TLS"
type="RSA" />
</SSLHostConfig>
 Pag 5

...replace example.com with your true domain, and samplePassword with the password that
you've just chosen (the one you just saved to a text file)

...exit the nano editor by pressing the Ctrl+x keys, ask if you save and press Y and then Enter to
exit.

Restart OpenMeetings:

sudo /etc/init.d/tomcat34 restart

And with this we conclude.

---------------------

If you have some doubt or question, please raise it in the Apache OpenMeetings forums:

https://openmeetings.apache.org/mailing-lists.html

Thank you.

Alvaro Bustos (PMC and Committer at Apache OpenMeetings)