-
Notifications
You must be signed in to change notification settings - Fork 306
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PAYARA-1061 LetsEncrypt integration script #2727
Conversation
@lprimak hi, can you please ask someone to look on this? thank you. |
We will get to this. We are busy with a quarterly release right now. |
Jenkins test please |
Quick build and test passed! |
Im not sure that I am good person to review this, as I don't really know Python |
@lprimak apologies. See the example here: #1047 (comment) also, if you run the script without parameters, it will print the usage. Thus (on linux), you simply do: |
Hi @ratcashdev, Firstly, thank you for your contribution. I see that the certbot script is in Python, of which I'm not an expert. Even so, I don't personally see any functionality that couldn't be reproduced with Java in a way more native to our codebase. Am I incorrect in this assessment? Kind regards, Matt |
Hi @MattGill98 In spite of all this, I believe python is much more appropriate for this very purpose. Admins and DevOps people (for whom this script is mainly for) can see the actual code, amend and adjust for their specific needs without recompilation/deployment. Imagine the lost time for admins should they realize that the functionality is not exactly how it suits them? They'd need to clone the whole repo, figure out where exactly that code is, (learn java, maven, etc.), do their first build (which may take a couple of dozen minutes - if they succeed at all to begin with). And they would need to figure out which jar contains the result and how to replace it. Hours (if not days) just for a small change. I have experienced this first hand when I decided to get my hands dirty with letsencrypt integration and create my first And it's also worth noting that this would not be the only python file in the repo; I've counted over 100 python files, mostly related to configuration, packaging and some REST calls. |
I am going to review this code this weekend/next week... sorry for the delay I was busy with other tasks |
@lprimak no worries, take your time. |
Hi @ratcashdev, Thank you for your response. I disagree with the precedence argument, since I think every case should be reviewed on it's own merit. However, your first argument is quite compelling. This in mind, I'm quite happy adding this python script if others seem to agree (which they seem to)! Kind regards, Matt |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With certbot not installed, I am getting cryptic error message:
Lennys-MacBook-Pro:bin lprimak$ letsencrypt.py -d payara
Application deployed with name le.
Command deploy executed successfully.
/Users/lprimak/Documents/devel/Payara/appserver/distributions/payara/target/stage/payara5/glassfish/domains/domain1/config/keystore.jks
null
/etc/letsencrypt/live/payara/privkey.pem (No such file or directory)
Command add-pkcs8 failed.
Command undeploy executed successfully.
I would say there should be at least a check for this file existing, and possibly a command line argument of what the name is (hardcoded payara now) with payara being default
Also, it's assuming domain1 why not |
@lprimak Thank you for the review and testing. Will have a look on this. So my understanding is that, the following changes are required:
|
@ratcashdev that's what I came up with so far. |
the domain directory option should be |
You're right. As a matter of fact you can specify multiple domain names. I've written it too long ago to remember. |
Updated code. Start by
|
jenkins test |
Can you please rename --domain-dir option to --domaindir to be consistent with Payara? Thanks |
You're right. I am discussing a single 'dash' here, and it's really not worth it (even though customer scripts would not break, because, as I wrote, asadmin would keep --domaindir also in parallel for backward compatibility). So let's skip No3 and agree on What about No2 from above? |
I like —name to be consistent with payara asadmin commands still |
I just want it to be consistent with the existing payara asadmin command to relieve users' cognitive load when learning a new command such as letsencrypt. |
@lprimak would this be ok? Allowing both domaind-dir and domaindir.
|
sure thing |
@lprimak done with the changes. Please have a look. |
It's important to note, that, by default, production domain also runs on port 8080. Thus, without some port mapping and configuration change in domain.xml the validation according to ACME (https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html see chapter 8.3, HTTP Challenge) will likely fail. Maybe the script should warn about this... |
Please remove Do Not Merge label when this is agreed |
Yes, I did see this. Alternatively there can be some port mapping / assignment done by the router. |
jenkins test |
Looks great! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great now!
Quick build and test passed! |
Jenkins test |
Quick build and test passed! |
@ratcashdev are you done with your changes? If you don't do anything in the next couple of days will merge it! |
Hi @lprimak, |
Oh, no problem. Happy for the contribution thanks! |
jenkins test |
Quick build and test passed! |
It looks like the use case for this script is only for new non-Docker production installations. Perhaps it can be extended for use with Docker where the certs would be generated outside the container. |
@johnmanko importing existing certs is already possible - this script already relies on that possibility. |
Requires certbot with the webroot plugin.
The idea is to deploy an empty war (as a directory, using in-place deployment) and provide that directory's path to certbot's webroot plugin to pass the challenge.
Script is written in python, because certbot itself requires python. As certbot works only under linux, so does this script.
Proper functionality (reloading the keystore and restarting the listener) requires b3bd6b0 and 83fb3c1
fixes #1047