Importing LetsEncrypt into Java and Glassfish

Server
18

Hello Again,

Sorry for the late response, i tried changing the script so that it uses fullchain.pem instead of chain.pem and the issue with the rest of the browsers was resolved:

#!/bin/sh

#Alias of the certificate
echo 'Please enter the alias of the certificate: e.g. (shortwebname)'
read NAME
#The current domain registered in letsencrypt such as www.mydomain.com
echo 'Please enter the domain name: e.g. (www.mydomain.com)'
read DOMAIN
#The keystore password, default is (changeit)
echo 'Please enter the keystore password: default is (changeit)'
read KEYSTOREPW
#Letsencrypt live directory location
LIVE=/etc/letsencrypt/live/$DOMAIN
#Glassfish server location e.g. /opt/glassfish4/glassfish/domains/domain1
echo 'Please enter the web server root directory: e.g. (/opt/payara41)'
read GFROOT

if [ -d "$LIVE" ]; then 
	if [ -d "$GFROOT" ]; then   

sudo mkdir temp-ssh
cd temp-ssh

sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out cert_and_key.p12 -name $NAME -CAfile $LIVE/chain.pem -caname root -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -alias $NAME -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo keytool -import -noprompt -trustcacerts -alias root -file $LIVE/chain.pem -keystore keystore.jks -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW

sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name glassfish-instance -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias glassfish-instance -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW

sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name s1as -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias s1as -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW


sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out cert_and_key.p12 -name $NAME -CAfile $LIVE/chain.pem -caname root -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore cacerts.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -alias $NAME -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo keytool -import -noprompt -trustcacerts -alias root -file $LIVE/chain.pem -keystore cacerts.jks -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW

sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name glassfish-instance -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore cacerts.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias glassfish-instance -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW

sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name s1as -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore cacerts.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias s1as -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW


# ====== Download latest list of cacert and import it into the cacerts.jks ========== #

sudo wget https://curl.haxx.se/ca/cacert.pem --no-check-certificate -O cacert.pem

PEM_FILE=cacert.pem
KEYSTORE=cacerts.jks
# number of certs in teh PEM file
CERTS=$(grep 'END CERTIFICATE' $PEM_FILE| wc -l)

# For every cert in the PEM file, extract it and import into the JKS keystore
# awk command: step 1, if line is in the desired cert, print the line
#              step 2, increment counter when last line of cert is found
for N in $(seq 0 $(($CERTS - 1))); do
  ALIAS="${PEM_FILE%.*}-$N"
  echo $ALIAS
  cat $PEM_FILE |
    awk "n==$N { print }; /END CERTIFICATE/ { n++ }" |
    keytool -noprompt -import -trustcacerts \
            -alias $ALIAS -keystore $KEYSTORE -storepass $KEYSTOREPW
done

# ==================================================================================== #


sudo keytool -list -keystore keystore.jks -storepass $KEYSTOREPW
sudo keytool -list -keystore cacerts.jks -storepass $KEYSTOREPW

if [ ! -f $GFROOT/glassfish/domains/domain1/config/keystore-orig.jks ]; then
echo "Backing up original files..."
sudo cp -f $GFROOT/glassfish/domains/domain1/config/keystore.jks $GFROOT/glassfish/domains/domain1/config/keystore-orig.jks
sudo cp -f $GFROOT/glassfish/domains/domain1/config/cacerts.jks $GFROOT/glassfish/domains/domain1/config/cacerts-orig.jks
fi

echo "Updating certificates..."
sudo cp -f keystore.jks $GFROOT/glassfish/domains/domain1/config/keystore.jks
sudo cp -f cacerts.jks $GFROOT/glassfish/domains/domain1/config/cacerts.jks

cd ..

sudo rm -rf temp-ssh

sudo $GFROOT/bin/asadmin enable-secure-admin;

sudo $GFROOT/bin/asadmin stop-domain;

sudo $GFROOT/bin/asadmin start-domain;
	else
		echo 'Wrong web server location...'
	fi
else
	echo 'Wrong domain name. Please make sure that certbot is installed and this domain is found in: /etc/letsencrypt/live/'
fi

Please check the script out and if there is any change needed please reply.

Thanks alot for your help