PEE Mail
Sydac DMI
Glassfish Tools

Glassfish Tools

06/06/2018 10:10 Australian Central Standard Time (South Australia)

Glassfish Tools is a project that I started when the startcom CA got ditched from major browsers. As I was forced to move to something else, I decided to integrate LetsEncrypt with Glassfish without actually touching the Glassfish source code. Two components have been created; these tools integrate Glassfish/Payara server with the official LetsEncrypt client certbot

  1. leChallengeFilter - a filter that responds to LetsEncrypt Challenges
  2. lePostProcessor - utility that imports a new LetsEncrypt certificate into the Glassfish keystore

LE Challenge Filter

There are many ways to use the certbot utility to do domain validation User Guide. One option is to make the server respond to a ACME-challenge. The leChallengeFilter does exactly that; installed as a server-wide filter it'll respond to ACME-challenges. Whether or not this filter is usable in a particular case depends on your setup and use of Glassfish. If the filter doesn't do the job in your case use DNS-validation or implement a custom solution.

LE Post Processor

The lePostProcessor is a small Java program that
  • reads the GF master password
  • creates a backup of the old keystore
  • copies the new certificate and private key into the keystore
  • and sends an e-mail with the result

The master password is required to open the keystore; this requires that the master password is stored on the server. The server needs to be restarted after an update of he keystore to be able to use the new certificate. This can be done automatically via script or manually. Someone raised an issue on github some time ago ( ) that contains the LetsEncrypt integration debate. The missing part so far is an asadmin-command that triggers a re-load of the SSL-certificate without re-starting the server or the connector.

Source and binaries are on