HTTPS signed Certificates

General discussion of anything Unimus
Post Reply
mattk
Posts: 1
Joined: Sun Jun 20, 2021 1:56 am

Wed Sep 29, 2021 2:37 am

We actively use Let's Encrypt certificates and wildcard certificates for most of our infrastructure. This enables us to navigate to the respective URL without getting a certificate error on the device we are accessing (i.e. Zabbix).

Is it possible to configure Unimus to use either a wildcard certificate or a Let's Encrypt certificate so that we don't need to have a self signed certificate that needs to be installed locally for all Unimus users?

Furthermore, I cannot seem to even be able to install the self-signed certificate:

Code: Select all

root@Unimus:~# JAVA_HOME=/usr/lib/jvm/java-8-oracle/jre/
root@Unimus:~# KEYTOOL=$JAVA_HOME/bin/keytool
root@Unimus:~# cd /opt/unimus
root@Unimus:/opt/unimus# $KEYTOOL -genkey -alias unimus -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore unimus.keystore.p12 -validity 3650
-bash: /usr/lib/jvm/java-8-oracle/jre//bin/keytool: No such file or directory
I have also tried changing:

Code: Select all

JAVA_HOME=/usr/lib/jvm/java-8-oracle/jre/
to

Code: Select all

JAVA_HOME=/usr/lib/jvm/java-8-oracle/jre
but it yields the same result.

I'm using Ubuntu 20.04...
User avatar
Tomas
Posts: 1206
Joined: Sat Jun 25, 2016 12:33 pm

Wed Sep 29, 2021 3:28 am

Hi,
mattk wrote:
Wed Sep 29, 2021 2:37 am
We actively use Let's Encrypt certificates and wildcard certificates for most of our infrastructure. This enables us to navigate to the respective URL without getting a certificate error on the device we are accessing (i.e. Zabbix).

Is it possible to configure Unimus to use either a wildcard certificate or a Let's Encrypt certificate so that we don't need to have a self signed certificate that needs to be installed locally for all Unimus users?
I would highly recommend placing a reverse proxy (such as NGINX) in front of Unimus and dealing with certs there. While Unimus has a fully featured embedded web server and assigning certs directly to Unimus is possible, there is much more flexibility and much more out-of-box tooling available if you put NGINX in front of Unimus.

This is a pretty standard deployment scenario for most web applications, your Zabbbix frontend should already be deployed the same way.
mattk wrote:
Wed Sep 29, 2021 2:37 am
Furthermore, I cannot seem to even be able to install the self-signed certificate:
...
As the documentation mentions:
Change JAVA_HOME to properly reflect the path to your JRE.
The default value will work for Oracle JRE, but for OpenJDK JRE it will be different.
On Ubuntu (and Debian), you can check where your Java is by running "update-java-alternatives --list".

For example:

Code: Select all

tomas@test01:~$ update-java-alternatives --list
java-1.8.0-openjdk-amd64       1081       /usr/lib/jvm/java-1.8.0-openjdk-amd64
tomas@test01:~$ 
On Ubuntu 20, you should have Java 11 and it should show you the base path. Adding "/jre" behind that path should make KEYTOOL work for you.
Post Reply