Securing R1Soft Server Backup Manager (CDP) with SSL/TLS encryption sounds like a good idea. Using Let’s Encrypt to accomplish that sounds even better!

Unfortunately, there’s no way to automatically install SSL certificates to Server Backup manager as its web interface is being run by Apache Tomcat, which parses those certificates from its keystore, so yeah, there’s a bit of hacking involved. Naturally, I wrote a script to resolve that :-)

Prerequisite is of course that you have CDP installed and running already and you also need to issue certificate for the domain first time. So Let’s issue it ;-)

certbot certonly --standalone -d DOMAIN -n -m EMAILADDRESS --agree-tos

Create script /root/bin/cdpssl.sh and mark it executable:

mkdir -p /root/bin
touch /root/bin/cdpssl.sh
chmod 0700 /root/bin/cdpssl.sh

After that’s done, here’s my mighty script to automate deployment of SSL and restart CDP service:

#!/usr/bin/env bash

DOMAIN="yourdomain"
R1SOFT_PATH="/usr/sbin/r1soft/jre/bin"
KEYSTORE_TMP="/root/keystore.ImportKey"
KEYSTORE="/usr/sbin/r1soft/conf/keystore"

# Set execute bit on (u+x) required binaries
chmod u+x "$R1SOFT_PATH"/keytool "$R1SOFT_PATH"/java

# Convert private key
openssl pkcs8 -topk8 -nocrypt -in /etc/letsencrypt/live/"$DOMAIN"/privkey.pem -inform PEM -out /etc/letsencrypt/live/"$DOMAIN"/privkey.der -outform DER

# Convert certificate
openssl x509 -in /etc/letsencrypt/live/"$DOMAIN"/cert.pem -inform PEM -out /etc/letsencrypt/live/"$DOMAIN"/cert.der -outform DER

# Download ImportKey utility
if [[ -f "$R1SOFT_PATH/ImportKey.java" ]]; then
        echo "ImportKey seems to be installed, skipping..."
else
        wget -q -O /tmp/importkey.zip https://community.igniterealtime.org/servlet/JiveServlet/download/196707-4718/importkey.zip
        unzip -f /tmp/importkey.zip ImportKey.* -x "__MACOSX/*" -d "$R1SOFT_PATH"
        rm -f /tmp/importkey.zip
fi

# Generate keystore. Default path is /root/keystore.ImportKey
cd "$R1SOFT_PATH" || echo "cd $R1SOFT_PATH failed"
"$R1SOFT_PATH"/java ImportKey /etc/letsencrypt/live/"$DOMAIN"/privkey.der /etc/letsencrypt/live/"$DOMAIN"/cert.der cdp

# Change keystore password
"$R1SOFT_PATH"/keytool -storepasswd -storepass importkey -new password -keystore /root/keystore.ImportKey

# Change password in keystore
"$R1SOFT_PATH"/keytool -keypasswd -alias cdp -storepass password -keypass importkey -new password -keystore /root/keystore.ImportKey

# Add CA certificate to keystore
"$R1SOFT_PATH"/keytool -import -noprompt -alias intermed -file /etc/letsencrypt/live/"$DOMAIN"/chain.pem -keystore /root/keystore.ImportKey -trustcacerts -storepass password

# Backup old keystore
mv "$KEYSTORE" "$KEYSTORE".old
cp "$KEYSTORE_TMP" "$KEYSTORE"

# Restart CDP-Server
/etc/init.d/cdp-server restart

As you can see there is quite a bit of hackery involved and steps that needed to be taken to automate this process, but I think I’ve commented that pretty well so you should be able to easily understand what’s going on.

Finally, to automate renewal process you can use following entry in crontab:

certbot renew --post-hook "/root/bin/cdpssl.sh" --quiet

As always, feel free to suggest changes.

Update #1

It seems that URL I was using in script at the time is not valid anymore. This really brings home the point that you shouldn’t download thing from untrusted sources. Always review code and decide the trust level for yourself. It was suggested by R.S. here in the comments that tool from this website works. There are also plenty of gists out there on github effectively making an backup of this class. :-)