Page 1 of 1

[BETA] Secure webinterface with letsencrypt+certbot SSL/HTTPS certificate

Posted: Fri Jan 27, 2023 1:43 am
by Crypto90
Running TS3MusicBot with SSL/HTTPS:

Server requirements to create a keystore certificate:
Code: Select all
apt-get install certbot openssl openjdk-8-jre (or newer, the version you already running your bot/s with is working)
TCP port 80 has to be free and open for the time running this script. You may need to stop apache2/nginx/httpd for a moment, if port 80 is in use.

Run this script in any folder of your system, best outside of your TS3MusicBot folder(s). In this example we use /etc/TS3MusicBot/:
Code: Select all
mkdir /etc/TS3MusicBot
Code: Select all
cd /etc/TS3MusicBot
Use this script to automate the keystore creation process:
Code: Select all
wget -O createTS3MusicBotSecureKeystore.sh https://forum.ts3musicbot.net/download/file.php?id=513 && chmod +x createTS3MusicBotSecureKeystore.sh


Usage (3 different options):

1. Create a new certificate with certbot from letsencrypt and generate the keystore file:
./createTS3MusicBotSecureKeystore.sh your_domain set_a_keystore_password_here

The letsencrypt certificate is valid for 90 days, till it expires.

2. To renew your existing certbot/letsencrypt certificate run:
./createTS3MusicBotSecureKeystore.sh your_domain set_a_keystore_password_here renew


3. Create the keystore file from an existing certificate you own:
./createTS3MusicBotSecureKeystore.sh /path/to/your/existing/certificate/fullchain.pem set_a_keystore_password_here



Add a cronjob to periodically rerun the "renew" command (only for a certbot/letsencrypt created certificate):
Code: Select all
crontab -e
Code: Select all
0 */12 * * * /etc/TS3MusicBot/createTS3MusicBotSecureKeystore.sh your_domain set_a_keystore_password_here renew



Then start your bots with the additional arguments:
Code: Select all
-secure /etc/TS3MusicBot/TS3MusicBot_secured.jks -secure-pw set_a_keystore_password_here

which will run the bot webinterface with the following url (eg. if you set -port 8080):

https://your_domain:8080

All bots running on the same system can use the same keystore TS3MusicBot_secured.jks file!


(6.04 KiB) Downloaded 4145 times

Screenshots:
2023-01-27_06-49-44.png
2023-01-27_06-49-44.png (243.97 KiB) Viewed 204504 times
2023-01-27_06-48-08.png
2023-01-27_06-48-08.png (100.95 KiB) Viewed 204504 times



The manual way:
► Show Spoiler

Re: [BETA] Secure webinterface with letsencrypt+certbot SSL/HTTPS certificate

Posted: Sun Jan 29, 2023 2:17 pm
by Crypto90
Added functionality to the script to set a path to an existing custom certificate (full .pem file), which will be used to create the keystore file from, certbot/letsencrypt will be skipped and not used in this usage,

Re: [BETA] Secure webinterface with letsencrypt+certbot SSL/HTTPS certificate

Posted: Thu Feb 09, 2023 1:48 pm
by Crypto90
Updated the script:

- Only proceed keystore generation if certificate (pem files) changes are detected.
- If a custom certificate is used, the given fullchain.pem file has to have a modified time change less than 30 minutes. Otherwise the fullchain.pem gets ignored.

Re: [BETA] Secure webinterface with letsencrypt+certbot SSL/HTTPS certificate

Posted: Mon Apr 17, 2023 10:45 pm
by Crypto90
Updated the script:
- Added check for java/openjdk 11 to use a workaround for keystore/keypass password set, because in opendjk 11 there is a bug which prevents the normal usage. All other versions will use the normal method.