Installer un certification dans une application Play !

Installer certbot

sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

cf https://certbot.eff.org/#ubuntu

Créer le certif'

https://certbot.eff.org/docs/using.html#standalone

sudo certbot certonly --standalone --preferred-challenges http
Saving debug log to /var/log/letsencrypt/letsencry
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel):semantic-forms.cc,www.semantic-forms.cc
Attempting to parse the version 0.12.0 renewal configuration file found at /etc/letsencrypt/renewal/www.s

------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/www.s

It contains these names: www.semantic-forms.cc

You requested these names for the new certificate: semantic-forms.cc,
www.semantic-forms.cc.

Do you want to expand and replace this existing certificate with the new
certificate?
------------------------------
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for semantic-forms.cc
http-01 challenge for www.semantic-forms.cc
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key
Creating CSR: /etc/letsencrypt/csr/0001_csr-

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.semantic-forms.cc/fullchain.pem. Your
   cert will expire on 2017-06-27. To obtain a new or tweaked version
   of this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
- If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Vérification que le certif' est bon

( il est bien issu de Let's Encrypt, qui est une autorité de certification ).

sudo openssl x509 -in /etc/letsencrypt/archive/www.semantic-forms.cc/fullchain2.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:8f:96:c1:40:64:48:cd:80:c7:
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Mar 29 09:29:00 2017 GMT
            Not After : Jun 27 09:29:00 2017 GMT
        Subject: CN=semantic-forms.cc
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c4:5e:2d:ee:90:f7:ea:70:75:

Adapter le certif' pour Java et Play framework

J'applique la recette :
http://stackoverflow.com/questlets-encrypt-certificate

Créer le fichier p12 :

sudo /bin/bash -c \
  "cd /etc/letsencrypt/live/www.semantic-forms.cc ; \
  openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem \
    -out cert_and_key.p12 -CAfile chain.pem \
    -caname root -passout pass:$ENSCRIPT_PW"

ça produit dans ce répertoire: cert_and_key.p12

sudo /bin/bash -c "cd /etc/letsencrypt/live/www.semantic-forms.cc ; \
  keytool -importkeystore -srcstorepass $ENSCRIPT_PW -destkeystore \
    keyStore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 \
    -storepass $ENSCRIPT_PW "

[sudo] password for jmv:
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled

ça produit dans ce répertoire: keyStore.jks

Démarrer le serveur Play! Framework

sudo chmod go+r /etc/letsencrypt/live/
sudo chmod go+x /etc/letsencrypt/live/

cd ~jmv/deploy/semantic_forms_play-1.0-SNAPSHOT
nohup bin/semantic_forms_play -Dhttp.port=8444 -Dhttps.port=8443 \

-Dplay.server.https.keyStore.path=/etc/letsencrypt/live/www.semantic-forms.cc/keyStore.jks \

-Dplay.server.https.keyStore.password=$ENSCRIPT_PW \

-Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls.rejectClientInitiatedRenegotiation=true

Et alors, avec un téléphone ou un ordi, aller sur :
https://semantic-forms.cc:8443