Confluence and Let"sEncrypt

Published: 2 December 2016

For anything web-based with passwords, one should be using HTTPS, and self-signed certificates are becoming increasingly impractical due to browsers complaining about them.

An easy solution to this is using Let'sEncrypt, which makes it very straightforward to keep an up-to-date certificate on sites that don't need extended forms of validation.

Getting the certificate itself is pretty simple. If you already have one on the same server for a different purpose, you can skip the certbot bit!

certbot will generally be available now in your package manager. If not, please look here.

We need something of the form:

certbot certonly --standalone -d subdomain.yourdomain.tld

(note here that you will need to have ports 80 and 443 open on the firewall when you run the command - a script can be used to open them, run the command, then close them afterwards).

to renew, at least every 60 days, all we need is:

certbot renew --standalone

and this can be executed from cron - it will only update the certificate if it is about to expire.

 

So, we've got our certificate. However, Confluence uses Tomcat, so things are a little more complicated.

We need the files to go into Java's key-store.

Thanks for the principles of the next bit go to Carmelo Scolo, as described in this article. We (probably!) aren't using the same hardware but we can use of the ideas.

We need to uncomment some lines in <CONFLUENCE_INSTALLATION>/conf/server.xml, in a similar way to that described in the Atlassian documentation:

        <Connector port="8443" maxHttpHeaderSize="8192"
                   maxThreads="150" minSpareThreads="25"
                   protocol="org.apache.coyote.http11.Http11NioProtocol"
                   enableLookups="false" disableUploadTimeout="true"
                   acceptCount="100" scheme="https" secure="true"
                   clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
                   URIEncoding="UTF-8" keystorePass="<KeyStorePass>"
                   keyAlias="tomcat" keyPass="<KeyPass>"
                   keystoreFile="<place you put it below>/ConfluenceKeyStore.jks"/>

All that remains now is to create a script that runs after the certificate is renewed, and updates our keystore for Confluence:

<CONFLUENCE_INSTALLATION>/bin/stop-confluence.sh
openssl pkcs12 -export -in /etc/letsencrypt/live/docs.sebtombs.com/fullchain.pem -inkey /etc/letsencrypt/live/docs.sebtombs.com/privkey.pem -out fullchain_and_key.p12 -name tomcat -passout pass:<InPass>
<CONFLUENCE_INSTALLATION>/jre/bin/keytool -importkeystore -deststorepass <KeyStorePass> -destkeypass <KeyPass> -destkeystore ConfluenceKeyStore.jks -srckeystore fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass <InPass> -alias tomcat
<CONFLUENCE_INSTALLATION>/bin/start-confluence.sh

We use the keytool installed by Confluence itself, as there may not be a JRE installed elsewhere.

Note that the passwords in <> are things that you need to invent, and need to be the same in the server.xml file and the script.