These instructions apply to all run modes using the WebListener. Certificates from any authority may be used, but these instructions use Let's Encrypt because it is free and easy to use.
These instructions assume that certbot is not yet installed on a system and no certificate has yet been obtained. The process will differ for certificate renewal. Also, be aware that Let's Encrypt certificates are only valid for 3 months and automatic renewal is not yet implemented.
Before beginning, ensure that your Nyzo software is at version 571 or later and ensure the WebListener is running.
sudo apt install certbot -y
Create the temporary web-forwarding directory.
sudo mkdir /var/lib/nyzo/production/webTemp
Run certbot to obtain a certificate. This example is for client.nyzo.co.
sudo certbot certonly
The first question asks about how to authenticate.
How would you like to authenticate with the ACME CA?
Choose option 2.
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
You may enter your email address, if you choose to do so. This example uses firstname.lastname@example.org.
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): email@example.com
You must next agree to the terms of service.
You are then asked whether you want to share your email address with the Electronic Frontier Foundation. You may choose either option.
Next, you need to provide the domain or domains for which you want a certificate. This example is for client.nyzo.co.
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): client.nyzo.co
You will then be asked for the webroot for the domain you provided. This is the Nyzo webTemp directory:
Input the webroot for client.nyzo.co: (Enter 'c' to cancel): /var/lib/nyzo/production/webTemp
If everything is working properly, you will see a notice saying that your certificate was created. This example is for client.nyzo.co.
Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:
Your cert will expire on 2020-05-18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
Next, export the certificate to a Java keystore file. This example is for client.nyzo.co, using a certificate named mycertificate and writing to the file /var/lib/nyzo/production/ssl-keystore.p12.
sudo openssl pkcs12 -export -inkey /etc/letsencrypt/live/client.nyzo.co/privkey.pem -in /etc/letsencrypt/live/client.nyzo.co/fullchain.pem -name mycertificate -out /var/lib/nyzo/production/ssl-keystore.p12
You will be asked to choose and verify an export password. Next, add the following two lines to /var/lib/nyzo/production/preferences. This example is for a keystore file located at /var/lib/nyzo/production/ssl-keystore.p12 with an export password of myexportpassword.
Reload your Nyzo software.
sudo supervisorctl reload
Finally, if you want to deactivate the temporary web directory, remove it now. This directory will need to be recreated the next time certbot is run.
sudo rmdir /var/lib/nyzo/production/webTemp