I put ssl certified in my system and requests for HTTPS are working very well, but i cant use secure websocket (ex: wss://domain.com/websocket) , it works only when I don’t use secure web socket (ws://). Are there some configurations to do to make lets encrypt allow me to use wss:// to call my websockets?
You could configure your web server to proxy web sockets. Modern versions of both Apache and Nginx are capable of doing so. Certbot can then automatically handle SSL for your websockets the same way it does for your HTTP connections.
If you don’t want to proxy websocket connections with your web server, you would need to manually configure your websocket server to listen for SSL and point it at your certificate and private key located in /etc/letsencrypt/live/yourdomain.com.
So, in my folder “/.letsencrypt/live/mydomain.com” (there isn’t a folder called live in my etc folder) there are 6 files, .ca, .crt, .csr, .key, *ca_.der and *cert_.der, which one do I need to use in my configuration? Is the .key?
I’m using tomcat, so i searched about configure ssl on tomcat, and I found this:
But I didn’t understand what i need to put in keystoreFile and keyPass.
And automatically in a renew hook afterward if you’d like.
ETA: But your file structure suggests you’re using a different client than the recommended default.
Which is fine (so do I) but I have no idea what yours calls its files because even mine uses the same names as certbot.
How can i create jks file? With these comands? But where do I need to run these commands? In linux? I don’t have access in linux console in the server, just my serv files and flders by ftp. Sorry, but I’m not good in this kind of configurations.
And after create this .jks file, what do i have to put in passKey?
So your host gets your certificates from Let’s Encrypt for you? It’s kind of hard to automate then. That’s important because it will need to be done at least every three months.
If you can configure and restart tomcat you must be able to run openssl somehow though, if nothing else every time tomcat is started.
Yes, i can run and restart the tomcat. And, yes, my host gets the certificated for me. I just need to press a button each three months. But they does not configure the web socket to use lets encrypt, so i need to configure by myself.
But the problem is that i don’t have idea how to do that. Thats because i asked you how to create jks file and what i have to put in pass key.
I was just suggesting that editing the tomcat start script so that it generated the keystore every time you started tomcat might be easier than doing it manually every three months.
The passphrase is anything you want it to be, just make it the same in both places.
I found a tutorial about JKS files on our forum here:
Someone more familiar with that method would have to help you with that if you run into trouble. Perhaps if you change your thread title to reference tomcat a Java expert might notice.
I'm far from a Java expert, so for the two tomcat servers and one jetty server I'm forced to administer, I just use openssl to generate PKCS#12 files as described in my earlier comment. Tomcat accepts these as a keystore format in addition to JKS, and they also work with Microsoft IIS so it's one less command I have to remember.
Https works fine to my system, but I didin’t find a connector with ssl configuration in my tomcat.
Is there any way to meke this web socket connector to point to ssl already configured to HTTPS ?
Thank you for your answer. I will see this video and read again the links.
But the problem is that theres isn’t a .jks file in my server.
And I saw your “Tutorial - Java KeyStores (JKS) With Let’s Encrypt”, I created the files .JKS and .CSR, but I don’t have access in server’s console to execute the procedures about Certbot-Production.
I understood the example you gave me, and I have 2 files “.der” in my server, but the problem is that I dont´t have the KEY and I don’t have permission to execute comands in server’s console.
Is there some way to create these files in my computer and after upload to my server somewhere? I ask this because I saw that Certbot-Production nees to be run in the server. Sorry, but I’m lost in this part.
Unfortunately, it is impossible to use a certificate on any server without the private key. Anyone on the Internet can find and download your certificate if they wanted, as it is necessary for them to securely transmit data to your server. It is the private key that enables you to negotiate connections with and securely transmit data to clients on the Internet.
If your hosting provider does not make the private key available to you, the best option for you in this situation would be to engage your web hosting provider’s support about setting up their web server to proxy your websockets for you. (It might be as easy as dropping an .htaccess file in your web directory, but only they would know whether they support this or not.)
Otherwise, you would have to create a new certificate that you do have the private key for to use for this purpose, which is difficult to do with Let’s Encrypt without shell access to the server.
So, if your webhost is unwilling or unable to make the private key accessible or set up their web server to proxy websockets, you would either need to purchase a certificate from a commercial CA or seek out a more flexible hosting provider.
Just so you are aware, I am not going to provide anymore input on this thread.
The “challenge” you have of not being able to create the JKS on the server is solvable.
Instead of trying to present options (i have SFTP access to the server will that help), you seem to hope others will help you out (which we have done to a point).
I’ve tried asking for the key and password or shell access to my webhost, but they are not willing to help me. I will try to find a more flexible hosting provider.
Thank you for trying to understand my problem and your polite answer.