Ivan Tomica

Deploying Let’sEncrypt on R1Soft Server Backup Manager (CDP)

Securing R1Soft Server Backup Manager (CDP) with SSL/TLS encryption sounds like a good idea. Using Let’s Encrypt to accomplish that sounds even better!

Unfortunately, there’s no way to automatically install SSL certificates to Server Backup manager as its web interface is being run by Apache Tomcat, which parses those certificates from its keystore, so yeah, there’s a bit of hacking involved. Naturally, I wrote a script to resolve that :-)

Prerequisite is of course that you have CDP installed and running already and you also need to issue certificate for the domain first time. So Let’s issue it ;-)

certbot certonly --standalone -d DOMAIN -n -m EMAILADDRESS --agree-tos

Create script /root/bin/cdpssl.sh and mark it executable:

mkdir -p /root/bin
touch /root/bin/cdpssl.sh
chmod 0700 /root/bin/cdpssl.sh

After that’s done, here’s my mighty script to automate deployment of SSL and restart CDP service:

#!/usr/bin/env bash


# Set execute bit on (u+x) required binaries
chmod u+x "$R1SOFT_PATH"/keytool "$R1SOFT_PATH"/java

# Convert private key
openssl pkcs8 -topk8 -nocrypt -in /etc/letsencrypt/live/"$DOMAIN"/privkey.pem -inform PEM -out /etc/letsencrypt/live/"$DOMAIN"/privkey.der -outform DER

# Convert certificate
openssl x509 -in /etc/letsencrypt/live/"$DOMAIN"/cert.pem -inform PEM -out /etc/letsencrypt/live/"$DOMAIN"/cert.der -outform DER

# Download ImportKey utility
if [[ -f "$R1SOFT_PATH/ImportKey.java" ]]; then
        echo "ImportKey seems to be installed, skipping..."
        wget -q -O /tmp/importkey.zip http://community.igniterealtime.org/servlet/JiveServlet/download/196707-4718/importkey.zip
        unzip -f /tmp/importkey.zip ImportKey.* -d "$R1SOFT_PATH"
        rm -f /tmp/importkey.zip

# Generate keystore. Default path is /root/keystore.ImportKey
cd "$R1SOFT_PATH" || echo "cd $R1SOFT_PATH failed"
"$R1SOFT_PATH"/java ImportKey /etc/letsencrypt/live/"$DOMAIN"/privkey.der /etc/letsencrypt/live/"$DOMAIN"/cert.der cdp

# Change keystore password
"$R1SOFT_PATH"/keytool -storepasswd -storepass importkey -new password -keystore /root/keystore.ImportKey

# Change password in keystore
"$R1SOFT_PATH"/keytool -keypasswd -alias cdp -storepass password -keypass importkey -new password -keystore /root/keystore.ImportKey

# Add CA certificate to keystore
"$R1SOFT_PATH"/keytool -import -noprompt -alias intermed -file /etc/letsencrypt/live/"$DOMAIN"/chain.pem -keystore /root/keystore.ImportKey -trustcacerts -storepass password

# Backup old keystore

# Restart CDP-Server
/etc/init.d/cdp-server restart

As you can see there is quite a bit of hackery involved and steps that needed to be taken to automate this process, but I think I’ve commented that pretty well so you should be able to easily understand what’s going on.

Finally, to automate renewal process you can use following entry in crontab:

certbot renew --post-hook "/root/bin/cdpssl.sh" --quiet

As always, feel free to suggest changes.

Tagged in:, , , ,
Sysadmin on the everlasting journey of learning. Always in search for an opportunity to prove myself and to learn something new. My addiction is learning and my main goal is to excel in every aspect of Linux/Unix system administration.


Leave a Reply

Your email address will not be published. Required fields are marked *