Skip to content

Instantly share code, notes, and snippets.

@richmilne
Forked from galan/import-letsencrypt-java.sh
Last active March 15, 2024 11:26
Show Gist options
  • Save richmilne/5a5cb4be0ec8233a6c50ba40229d8278 to your computer and use it in GitHub Desktop.
Save richmilne/5a5cb4be0ec8233a6c50ba40229d8278 to your computer and use it in GitHub Desktop.
Import Let's Encrypt certificates into Java's trusted keystore (cacerts)
#!/bin/bash -e
# A codificiation of the steps outlined at
# https://ordina-jworks.github.io/security/2019/08/14/Using-Lets-Encrypt-Certificates-In-Java.html
CERT_EXT=der
# JAVA_HOME can be passed as argument if not set
if [[ -z ${JAVA_HOME+x} ]] || [[ ! -d ${JAVA_HOME} ]]; then
JAVA_HOME=${1}
fi
KEYSTORE="$JAVA_HOME/jre/lib/security/cacerts"
if [ ! -f "$KEYSTORE" ]; then
echo "Keystore not found in '$KEYSTORE'"
exit 1
fi
cp "$KEYSTORE" "$KEYSTORE.$(date +"%Y-%m-%dT%H:%m:%S")"
# Make sure the keytool is on our path
PATH=${PATH}:${JAVA_HOME}/jre/bin/
# List of downloads updated based on information found at
# https://letsencrypt.org/certificates/ (Last updated 2021-08-17)
# Depending on your application, you may or may not need the intermediate certificates.
certs=(
# Root Certificates
isrgrootx1
isrg-root-x1-cross-signed
isrg-root-x2
isrg-root-x2-cross-signed
# Intermediate Certificates
lets-encrypt-r3
lets-encrypt-r3-cross-signed # Retired
lets-encrypt-e1
lets-encrypt-r4
lets-encrypt-r4-cross-signed # Retired
lets-encrypt-e2
letsencryptauthorityx1
lets-encrypt-x1-cross-signed # Retired
letsencryptauthorityx2 # Retired
lets-encrypt-x2-cross-signed # Retired
letsencryptauthorityx3 # Retired
lets-encrypt-x3-cross-signed # Retired
letsencryptauthorityx4 # Retired
lets-encrypt-x4-cross-signed # Retired
)
for ALIAS in "${certs[@]}"
do
FNAME="$ALIAS".$CERT_EXT
echo "Downloading '$FNAME'..."
wget -nv "https://letsencrypt.org/certs/${FNAME}" >>./errors.txt 2>&1 || true
# to be idempotent, ensure new keys are removed from store
echo "Deleting '$ALIAS' from '${KEYSTORE}'..."
keytool -delete -alias "$ALIAS" -keystore "$KEYSTORE" -storepass changeit 2>/dev/null || true
keytool -trustcacerts -keystore "$KEYSTORE" -storepass changeit -noprompt -importcert -alias "$ALIAS" -file "$FNAME"
done
rm -vf ./*.${CERT_EXT}*
@rjshrjndrn
Copy link

rjshrjndrn commented Nov 26, 2021

Line number 7 should be changed to

if [[ -z ${JAVA_HOME+x} ]] || [[ ! -d ${JAVA_HOME} ]]; then

And you'll have to run this script as the root user. so better hardcode the JAVA_HOME at the beginning.

@richmilne
Copy link
Author

Thanks for spotting that, @rjshrjndrn - I've corrected the omission.

As for your comment that the script should be run as root user: yes, that is the usage envisaged by the upstream creator:
sudo ./import-letsencrypt-java.sh "$JAVA_HOME"

@rjshrjndrn
Copy link

Ah, correct!!!
and where should we set $JAVA_HOME ?
So either it should be

 sudo JAVA_HOME=/path/to/java bash /import-letsencrypt-java.sh "$JAVA_HOME"

or

 sudo ./import-letsencrypt-java.sh /path/to/hava

@richmilne
Copy link
Author

@danielsz, does this fork help?

@danielsz
Copy link

This looks great. Thank you, @richmilne.

@elcamilet
Copy link

Hi! I have adapted it to my needs and it works perfectly!
Thank you so much! @richmilne

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment