How to install free SSL Certificate for Outsystems using Let's Encrypt

How to install free SSL Certificate for Outsystems using Let's Encrypt

  

Hello, everyone!

In this first post, I want to show you how the Infrastructure Team of the company where I work managed to install a FREE certificate for Outsystems using Let's Encrypt, an open Certificate Authority (Yes! No more paying for it!)

In this example, the configurations were made on CentOS + Wildfly outsystems server that was only accessible over the company's Internal Network. For this reason, the "certificate challenge", listed on the step 5, where made using the company's External DNS server, that had a public IP facing the internet, and has authority on the company's domain.

 (Alternatively, if your outsystems server is facing the internet, you can create a public html page containing the txt value generated by certbot-auto script. This will not be covered in this tutorial).

Here are the steps:

  1. Just for the sake of organization, create a new folder called "installers" on /opt directory, using the command mkdir /opt/installers. Change your current path to it, using cd /opt/installers command.

  2. Download the certbot-auto script, using the command wget https://dl.eff.org/certbot-auto
  3. Use the command chmod a+x certbot-auto to turn it into an executable script. It will become green when listed with ls command.

  4. Now, we will start the configuration of a new certified domain using the mencioned script: start it like below, but changing the options according to your environment:

    ./certbot-auto certonly --manual --preferred-challenges dns --email <admin.account@yourdomain.com> -d <servername.yourdomain.com>

  5. The script will ask you some questions. In our case, the answers were Y, Y, Y, A, N, Y. A txt value will be provided for the challenge and the script will hold, waiting for your confirmation after you add it into your external DNS server.

  6. If the txt value were corectly configured in your external DNS, the certbot-auto script will show a "congratulations" message after your confirmation. The certification files (.pem) were successfuly generate on the following path:

    /etc/letsencrypt/archive/servername.yourdomain.com

  7. Change to the previous path and use the following command and convert the fullchain1.pem into a .p12 file, using the following command:

     openssl pkcs12 -export -in fullchain1.pem -inkey privkey1.pem -out servername.yourdomain.com.p12 -name default -CAfile chain1.pem -caname root
  8. Insert a Password

  9. Use the command alias keytool="$JAVA_HOME/bin/keytool"
  10. Use the command source /etc/sysconfig/outsystems
  11. Create/change the following ambient variables:

    KEYSTORE=$WILDFLY_HOME/standalone/configuration/server.keystore

    ASUSER=wildfly
  12. Change the ownership of the keystore using the command chown $ASUSER:$ASUSER $KEYSTORE
  13. Remove the server,keystore, using rm -rf $WILDFLY_HOME/standalone/configuration/server.keystore
  14. alias keytool="$JAVA_HOME/bin/keytool"
  15. Create a new keystore, embedding the p12 certificate into it, using the following command:

    keytool -importkeystore -deststorepass <step 8 Password> -destkeypass <step 8 Password> -destkeystore $KEYSTORE -srckeystore <servername.yourdomain.com.p12> -srcstoretype PKCS12 -srcstorepass <step 8 Password> -alias default
  16. Edit the standalone-outsystems.xml, using your favorite editor, like so:
    vim $WILDFLY_HOME/standalone/configuration/standalone-outsystems.xml
  17. insert the text block below inside <security-realms> tag, like in the image:

    <security-realm name="SecureApplicationRealm">
       <server-identities>
          <ssl>
             <keystore path="server.keystore"
             relative-to="jboss.server.config.dir"
             keystore-password="<step 8 Password>" />
          </ssl>
       </server-identities>
    </security-realm>




  18. Add the text block bellow immediately after the <http-listener> block:

    <https-listener name="https" socket-binding="https" security-realm="SecureApplicationRealm"/>

  19. Save the previous file and restart wildfly-outsystems service:
    /etc/init.d/wildfly-outsystems restart

  20. In our case, we configured the internal DNS as well to resolve internally the name servername.yourdomain.com to its respective server IP.

  21. Test https://servername.yourdomain.com on your browser and check if the certificate icon is green. That's it!


Credits for this tutorial:

  • Alessandro Daniel de Almeida e Silva (Network Infrastructure Manager)
  • João Lucas dos Santos (Software Architect)
  • Lutt Souto Ferreira (Network Infrastructure Manager) 

Nice.