Bash script for automating the generation and renewal of SSL certificates from Lets Encrypt for the JAMF Software Server (JSS) and Tomcat
Lets Encrypt (https://letsencrypt.org) is a free and automated way to install SSL certificates into several different types of web servers. Since the JAMF Software Server (JSS) runs off of Tomcat (a web server) I took it upon myself to figure out how to automate the request and installation of the proper certs. This is mainly due to folks running JSS instances without trusted certs and leaving themselves open to potential man in the middle attacks.
Based off of Ivan Tichy - http://blog.ivantichy.cz/blogpost/view/74 and Jon Yergatian - https://github.com/sonofiron
This script will pull the latest copy of Lets Encrypt and configure it for your JSS. Please read though the entire script before running it. It is highly recommend that you test this on a development environment before trying in production.
You must have the following software packages installed:
This script must be run with sudo.
If you have restrictive firewall rules, port 80 must be open from server out to the internet. LetsEncrypt uses port 80 to validate certs. Additionally, certs may only be renewed every 60-90 days (this is accounted for in the script).
If you were running an older verion of the script, you may receive a message like: Renewal configuration file /etc/letsencrypt/renewal/jamf.stoutcs.com.conf (cert: jamf.domainname.com) produced an unexpected error: 'Namespace' object has no attribute 'standalone_supported_challenges'. Skipping. The certificate was created with an older version of certbot, and the flag --standalone-supported-challenges http-01 is no longer supported command. To fix this problem, the easiest method is to create an entirely new certificate. (Hey, they're free, right?) 1) sudo mv /etc/letsencrypt ~/letsencryptold 2) Upgrade to the latest version of the script 3) Run to create a brand new certificate.
Please leave feedback and/or comments on how this could be improved! And many thanks to Kyle for making this script to begin with. We miss you!
Thanks! Sean
— SRABBITT August 2, 2019 1:31 PM -
1 - With the release of Java 11 and Jamf Pro 10.14.0, the jamf.tomcat8 service does not appear in the service --status-all
command. To
fix that problem, we switched to looking for the service with systemctl status jamf.tomcat8
instead.
2 - Now using the Jamf Pro Command Line Interface (CLI) to start and stop the server.
3 - Added Jamf copyright and support model (free, as in beer)