Bootstrap Framework 3.3.6

[Crypto90]

Running TS3MusicBot with SSL/HTTPS:

Server requirements to create a keystore certificate:

Code: Select all

apt-get install certbot openssl openjdk-8-jre (or newer, the version you already running your bot/s with is working)

TCP port 80 has to be free and open for the time running this script. You may need to stop apache2/nginx/httpd for a moment, if port 80 is in use.

Run this script in any folder of your system, best outside of your TS3MusicBot folder(s). In this example we use /etc/TS3MusicBot/:

Code: Select all

mkdir /etc/TS3MusicBot

Code: Select all

cd /etc/TS3MusicBot

Use this script to automate the keystore creation process:

Code: Select all

wget -O createTS3MusicBotSecureKeystore.sh https://forum.ts3musicbot.net/download/file.php?id=513 && chmod +x createTS3MusicBotSecureKeystore.sh

Usage (3 different options):

1. Create a new certificate with certbot from letsencrypt and generate the keystore file:
./createTS3MusicBotSecureKeystore.sh your_domain set_a_keystore_password_here

The letsencrypt certificate is valid for 90 days, till it expires.

2. To renew your existing certbot/letsencrypt certificate run:
./createTS3MusicBotSecureKeystore.sh your_domain set_a_keystore_password_here renew


3. Create the keystore file from an existing certificate you own:
./createTS3MusicBotSecureKeystore.sh /path/to/your/existing/certificate/fullchain.pem set_a_keystore_password_here



Add a cronjob to periodically rerun the "renew" command (only for a certbot/letsencrypt created certificate):

Code: Select all

crontab -e

Code: Select all

0 */12 * * * /etc/TS3MusicBot/createTS3MusicBotSecureKeystore.sh your_domain set_a_keystore_password_here renew

Then start your bots with the additional arguments:

Code: Select all

-secure /etc/TS3MusicBot/TS3MusicBot_secured.jks -secure-pw set_a_keystore_password_here

which will run the bot webinterface with the following url (eg. if you set -port 8080):

https://your_domain:8080

All bots running on the same system can use the same keystore TS3MusicBot_secured.jks file!

createTS3MusicBotSecureKeystore.sh

(6.04 KiB) Downloaded 4059 times

Screenshots:

2023-01-27_06-49-44.png (243.97 KiB) Viewed 199024 times

2023-01-27_06-48-08.png (100.95 KiB) Viewed 199024 times

The manual way:

► Show Spoiler

Replace all XXXXXXXXXXXXXXXXXX fields with your domain/sub.domain (domain is pointing via A record to your server).

A keystore file is protected with a password, without the correct password, the keystore file can't be used/read.

Some keytool versions have a bug with setting custom passwords. 'changeit' is the default password. we will set always the default and change the placeholder on the last step.





1. Run as root/sudo:

Code: Select all

certbot certonly --standalone --config-dir TS3MusicBot_SSL/config --work-dir TS3MusicBot_SSL/work --logs-dir TS3MusicBot_SSL/logs -d XXXXXXXXXXXXXXXXXX

TCP port 80 has to be free and open for the time running certbot. You may need to stop apache2/nginx/httpd for a moment, if port 80 is in use.

alternatively, you can use the already running webserver (apache2/nginx) instead of the certbot's build in standalone server by using:

► Show Spoiler

Code: Select all

certbot certonly --webroot --webroot-path /var/www/html --config-dir TS3MusicBot_SSL/config --work-dir TS3MusicBot_SSL/work --logs-dir TS3MusicBot_SSL/logs -d XXXXXXXXXXXXXXXXXX

This creates pem files to: TS3MusicBot_SSL/config/live/XXXXXXXXXXXXXXXXXX/*.pem


2. concatenate all PEM files into one:

Code: Select all

cat TS3MusicBot_SSL/config/live/XXXXXXXXXXXXXXXXXX/*.pem > fullcert.pem

3. convert to pkcs12 (do NOT change 'changeit', we do this at the end):

Code: Select all

openssl pkcs12 -export -out fullchain.pkcs12 -in fullcert.pem -passin pass:changeit -passout pass:changeit

4. You can't just create an empty keystore, so create a new temp key and specify a new keystore, then delete that key. That gives you the empty keystore:
(do NOT change 'changeit', we do this at the end)

Code: Select all

keytool -genkey -noprompt -alias dummyalias -dname "CN=dummy.com, OU=ID, O=DUM, L=DUMMY, S=DUMMY, C=GB" -keystore TS3MusicBot_secured.jks -storepass changeit -keypass changeit

(do NOT change 'changeit', we do this at the end)

Code: Select all

keytool -delete -alias dummyalias -keystore TS3MusicBot_secured.jks -storepass changeit -keypass changeit

5. importing pkcs12 file into empty keystore (do NOT change 'changeit', we do this at the end):

Code: Select all

keytool -v -importkeystore -srckeystore fullchain.pkcs12 -destkeystore TS3MusicBot_secured.jks -deststoretype JKS -srcstorepass changeit -deststorepass changeit -noprompt

6. correcting alias (do NOT change 'changeit', we do this at the end):

Code: Select all

keytool -keystore TS3MusicBot_secured.jks -changealias -alias 1 -destalias XXXXXXXXXXXXXXXXXX -storepass changeit

7. change the password from 'changeit' to a real one (do NOT change 'changeit', only change YYYYYYYYYYYYYYYYYYY):
YYYYYYYYYYYYYYYYYYY = your new custom password
XXXXXXXXXXXXXXXXXX = domain/sub.domain

first for the key inside the keystore:

Code: Select all

keytool -keypasswd -new YYYYYYYYYYYYYYYYYYY -alias XXXXXXXXXXXXXXXXXX -keystore TS3MusicBot_secured.jks -storepass changeit

next for the keystore:

Code: Select all

keytool -storepasswd -new YYYYYYYYYYYYYYYYYYY -keystore TS3MusicBot_secured.jks -storepass changeit

Then start your bots with the additional arguments:

Code: Select all

-secure path/to/TS3MusicBot_secured.jks -secure-pw set_a_keystore_password_here

which will run the bot webinterface with the following url (eg. if you set -port 8080):

https://your_domain:8080

All bots running on the same system can use the same keystore TS3MusicBot_secured.jks file!

[Crypto90]

Added functionality to the script to set a path to an existing custom certificate (full .pem file), which will be used to create the keystore file from, certbot/letsencrypt will be skipped and not used in this usage,

[Crypto90]

Updated the script:

- Only proceed keystore generation if certificate (pem files) changes are detected.
- If a custom certificate is used, the given fullchain.pem file has to have a modified time change less than 30 minutes. Otherwise the fullchain.pem gets ignored.

[Crypto90]

Updated the script:
- Added check for java/openjdk 11 to use a workaround for keystore/keypass password set, because in opendjk 11 there is a bug which prevents the normal usage. All other versions will use the normal method.