Ivan Tomica

Deploying Let’sEncrypt on R1Soft Server Backup Manager (CDP)

Securing R1Soft Server Backup Manager (CDP) with SSL/TLS encryption sounds like a good idea. Using Let’s Encrypt to accomplish that sounds even better!

Unfortunately, there’s no way to automatically install SSL certificates to Server Backup manager as its web interface is being run by Apache Tomcat, which parses those certificates from its keystore, so yeah, there’s a bit of hacking involved. Naturally, I wrote a script to resolve that :-)

Prerequisite is of course that you have CDP installed and running already and you also need to issue certificate for the domain first time. So Let’s issue it ;-)

certbot certonly --standalone -d DOMAIN -n -m EMAILADDRESS --agree-tos

Create script /root/bin/cdpssl.sh and mark it executable:

mkdir -p /root/bin
touch /root/bin/cdpssl.sh
chmod 0700 /root/bin/cdpssl.sh

After that’s done, here’s my mighty script to automate deployment of SSL and restart CDP service:

#!/usr/bin/env bash

DOMAIN="yourdomain"
R1SOFT_PATH="/usr/sbin/r1soft/jre/bin"
KEYSTORE_TMP="/root/keystore.ImportKey"
KEYSTORE="/usr/sbin/r1soft/conf/keystore"

# Set execute bit on (u+x) required binaries
chmod u+x "$R1SOFT_PATH"/keytool "$R1SOFT_PATH"/java

# Convert private key
openssl pkcs8 -topk8 -nocrypt -in /etc/letsencrypt/live/"$DOMAIN"/privkey.pem -inform PEM -out /etc/letsencrypt/live/"$DOMAIN"/privkey.der -outform DER

# Convert certificate
openssl x509 -in /etc/letsencrypt/live/"$DOMAIN"/cert.pem -inform PEM -out /etc/letsencrypt/live/"$DOMAIN"/cert.der -outform DER

# Download ImportKey utility
if [[ -f "$R1SOFT_PATH/ImportKey.java" ]]; then
        echo "ImportKey seems to be installed, skipping..."
else
        wget -q -O /tmp/importkey.zip https://community.igniterealtime.org/servlet/JiveServlet/download/196707-4718/importkey.zip
        unzip -f /tmp/importkey.zip ImportKey.* -x "__MACOSX/*" -d "$R1SOFT_PATH"
        rm -f /tmp/importkey.zip
fi

# Generate keystore. Default path is /root/keystore.ImportKey
cd "$R1SOFT_PATH" || echo "cd $R1SOFT_PATH failed"
"$R1SOFT_PATH"/java ImportKey /etc/letsencrypt/live/"$DOMAIN"/privkey.der /etc/letsencrypt/live/"$DOMAIN"/cert.der cdp

# Change keystore password
"$R1SOFT_PATH"/keytool -storepasswd -storepass importkey -new password -keystore /root/keystore.ImportKey

# Change password in keystore
"$R1SOFT_PATH"/keytool -keypasswd -alias cdp -storepass password -keypass importkey -new password -keystore /root/keystore.ImportKey

# Add CA certificate to keystore
"$R1SOFT_PATH"/keytool -import -noprompt -alias intermed -file /etc/letsencrypt/live/"$DOMAIN"/chain.pem -keystore /root/keystore.ImportKey -trustcacerts -storepass password

# Backup old keystore
mv "$KEYSTORE" "$KEYSTORE".old
cp "$KEYSTORE_TMP" "$KEYSTORE"

# Restart CDP-Server
/etc/init.d/cdp-server restart

As you can see there is quite a bit of hackery involved and steps that needed to be taken to automate this process, but I think I’ve commented that pretty well so you should be able to easily understand what’s going on.

Finally, to automate renewal process you can use following entry in crontab:

certbot renew --post-hook "/root/bin/cdpssl.sh" --quiet

As always, feel free to suggest changes.

Update #1

It seems that URL I was using in script at the time is not valid anymore. This really brings home the point that you shouldn’t download thing from untrusted sources. Always review code and decide the trust level for yourself. It was suggested by R.S. here in the comments that tool from this website works. There are also plenty of gists out there on github effectively making an backup of this class. :-)

Tagged in:, , , ,
About 
Sysadmin on the everlasting journey of learning. Always in search for an opportunity to prove myself and to learn something new. My addiction is learning and my main goal is to excel in every aspect of Linux/Unix system administration.

6 Comments

    • Ivan Tomica

      2019-07-25 - 18:03
      Reply

      Thank you for sharing this Mike! Seems like they’ve added __MACOSX folder, perhaps by accident since that’s metadata about files anyways.

  1. R.S.

    2019-09-10 - 18:01
    Reply

    We’re running a deployment of about 23 of these gnarled beasts, and I’ve just come into “ownership” of them. Self certs for three years. This helps a TON. Now ifi could only crack their API, or at least get updated docs.

    • Ivan Tomica

      2019-09-11 - 07:14
      Reply

      I feel your pain :-) Glad that article was of use to you!

      • Ivan Tomica

        2019-09-11 - 21:01

        Thanks for letting me know. This has been brought to my attention previously as well, but now I have finally made required update to the article. :-)

Leave a Reply

Your email address will not be published. Required fields are marked *