ecoDMS is a very nice electronic document management server. Sadly its written in Java…
It has a built-in webserver which can be configured to use HTTPS. You can use even custom certifcates, but for that you need to upload a java keystore using the client (not via webinterface).
As uploading a keystore is not a good way of automation via hooks used by dehydrated (the letsencrypt-client I’m using), I was searching for a better way.
All following names for aliases and keystores are based the filename of my first manuel try to upload a java keystore.
Turns out: the keystore is saved in ecoDMSs own postgres-database.
postgres=# \c ecodms
ecodms=# \dt *.*
List of relations
Schema | Name | Type | Owner
--------------------+-----------------------------+-------+----------
[...]
classify01 | userdata | table | ecosims
[...]
In classify01.userdata eveything, fields with name id and data, is base64 encoded hex-data.
In my case I was able to find
U1NMS0VZU1RPUkU6ZWNvZG1zLmprcw==
U1NMS0VZQUxJQVM6ZWNvZG1zLmprcw==
U1NMS0VZUEFTUzplY29kbXMuamtz
which is decoded
SSLKEYSTORE:ecodms.jks
SSLKEYALIAS:ecodms.jks
SSLKEYPASS:ecodms.jks
Even the password of the keystore was saved in hex and base64
ecodms=# select userdata.data from classify01.userdata where userdata.id = 'U1NMS0VZUEFTUzplY29kbXMuamtz';
data
--------------------
\x4d54497a4e445532
(1 row)
user@pc /tmp $ echo 4d54497a4e445532 | xxd -r -p | base64 -d
123456
Based on these informationen I’m now using this lines in my hook of dehydrated to insert the certificate into ecoDMS.
export pw=123456
cat "${FULLCHAINFILE}" "${KEYFILE}" > /tmp/all.pem
cd /tmp/
openssl pkcs12 -export -in all.pem -out ecodms.p12 -name ecodms -password env:pw
rm -f all.pem
keytool -importkeystore -deststorepass 123456 -destkeypass 123456 -destkeystore ecodms.jks -srckeystore ecodms.p12 -srcstoretype PKCS12 -srcstorepass 123456 -alias ecoDMS
rm -f ecodms.p12
HEX=$(base64 -w 0 ecodms.jks | xxd -p | tr -d '\n')
echo "UPDATE classify01.userdata SET data = '\x$HEX' WHERE id = 'U1NMS0VZU1RPUkU6ZWNvZG1zLmprcw==';" | su -c "psql ecodms" postgres
rm -f ecodms.jks
/etc/init.d/ecodms stop
/etc/init.d/ecodms start
Please note if you want to use these information:
- Upload first keystore manually
- Use same password in hook as we’re just overwriting the keystore
- Depending on your filename the base64-ID will change
- Filename of temporary keystore doesn’t mater, you just need to remember it to find the correct ID
- Remove temporary files as I didn’t find an option to overwrite already existing keystores (it will ask if you want to overwrite it).