farmerswife

Welcome
Login  Sign up

How to SSL farmerswife using your own certificates

farmerswife server has two different sets of certificates, one for the desktop clients and the iOS application and another for the web and mobile web clients.

Out of the box the farmerswife server uses self signed certificates only for the communication from the desktop client and iOS application to the server. These self signed certificates are not in use for the web / mobile web clients, as this could lead to complications because your browser would not allow the connection for your security. This article explains how you can add your own SSL for your web / mobile web client as well as your desktop / iOS client.

Before starting we want to inform that this article is targeted to IT admins.

You can achieve SSL using three different approaches: 

  1. SSLing your actual farmerswife server,
  2. using a second farmerswife server as a proxy (covered in other solution article), 
  3. using a third party service as proxy, for this documentation we will use NGINX as the third party service.

By default farmerswife uses a set of five different ports, three of them HTTP and the other two TCP.

  • Server port: 22000 TCP over TLS by default *
  • File transfer port: 24000 TCP
  • iOS Port: 25000 XML over HTTPS *
  • Web client port: 26000 HTTP
  • Mobile web client: 26000 HTTP
  • WebCal port: 27000 HTTP

They use the self signed certificate by default.

SSLing your farmerswife server

The files you need to apply your SSL to farmerswife are the certificate.crt and certificate.key of your system domain/subdomain. Below you will see an example of how they start and finish.

certificate.crt :

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

certificate.key :

-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

SSLing your web / mobile client

Place a copy inside the following folder located inside your farmerswife server installation: 

C:\Program Files (x86)\farmerswife Server\lib\openssl\

And then execute the following command to start creating a keychain:

Windows: C:\Program Files (x86)\farmerswife Server\lib\openssl>.\openssl.exe pkcs12 -export -name servercert -in certificate.crt -inkey certificate.key -out myp12keystore.p12

Mac and Linux: openssl pkcs12 -export -name servercert -in certificate.crt -inkey certificate.key -out myp12keystore.p12

It will ask you to prompt a password for your certificate chain, which will be needed on the next step and for the configuration of the web / mobile server.

Once done we have to copy the file myp12keystore.p12 to the following folder:

C:\Program Files\Java\jre_installedversion\bin\

And yet again execute the following command:

Windows: C:\Program Files\Java\jre_installedversion\bin>.\keytool.exe -importkeystore -destkeystore keystore -srckeystore myp12keystore.p12 -srcstoretype pkcs12 -alias servercev

Mac and Linux: keytool -importkeystore -destkeystore keystore -srckeystore myp12keystore.p12 -srcstoretype pkcs12 -alias servercev

Remember which password you used in this step as it will be needed for configuring the SSL on the web / mobile client.

Now grab the file named keystore and move it to the following folder:

Windows: C:\Program Files (x86)\farmerswife Server\lib\jetty\etc\

Mac: /path/to/your/farmerswife Server/Contents/lib/jetty/etc/

Linux: /path/to/your/farmerswife Server/lib/jetty/etc/

In that same folder you will need to open the file jetty-ssl.xml and copy the following fragment :

  <New id="sslContextFactory" class="org.eclipse.jetty.http.ssl.SslContextFactory">
    <Set name="KeyStore"><Property name="jetty.home" default="." />/etc/keystore</Set>
    <Set name="KeyStorePassword">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
    <Set name="KeyManagerPassword">OBF:1u2u1wml1z7s1z7a1wnl1u2g</Set>
    <Set name="TrustStore"><Property name="jetty.home" default="." />/etc/keystore</Set>
    <Set name="TrustStorePassword">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
  </New>

  <Call name="addConnector">
    <Arg>
      <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
        <Arg><Ref id="sslContextFactory" /></Arg>
        <Set name="Port">8443</Set>
        <Set name="maxIdleTime">30000</Set>
        <Set name="Acceptors">2</Set>
        <Set name="AcceptQueueSize">100</Set>
      </New>
    </Arg>
  </Call>

NOTE: Please don’t copy from this solution article as it may introduce wrong characters to the file due to encoding.

Once copied you need to paste it inside the file jetty.xml just below the following section:

  <!-- =========================================================== -->
  <!-- Set connectors                                              -->
  <!-- =========================================================== -->

  <Call name="addConnector">
    <Arg>
        <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
          <Set name="host"><SystemProperty name="jetty.host" /></Set>
          <Set name="port"><SystemProperty name="jetty.port" default="8080"/></Set>
          <Set name="maxIdleTime">300000</Set>
          <Set name="Acceptors">2</Set>
          <Set name="statsOn">false</Set>
          <Set name="confidentialPort">8443</Set>
          <Set name="lowResourcesConnections">20000</Set>
          <Set name="lowResourcesMaxIdleTime">5000</Set>
        </New>
    </Arg>
  </Call>

In this case we modified the password value for the one we used on the keystore step and the result would be like this:

  <!-- =========================================================== -->
  <!-- Set connectors                                              -->
  <!-- =========================================================== -->

  <Call name="addConnector">
    <Arg>
        <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
          <Set name="host"><SystemProperty name="jetty.host" /></Set>
          <Set name="port"><SystemProperty name="jetty.port" default="8080"/></Set>
          <Set name="maxIdleTime">300000</Set>
          <Set name="Acceptors">2</Set>
          <Set name="statsOn">false</Set>
          <Set name="confidentialPort">8443</Set>
          <Set name="lowResourcesConnections">20000</Set>
          <Set name="lowResourcesMaxIdleTime">5000</Set>
        </New>
    </Arg>
  </Call>

  <New id="sslContextFactory" class="org.eclipse.jetty.http.ssl.SslContextFactory">
    <Set name="KeyStore"><Property name="jetty.home" default="." />/etc/keystore</Set>
    <Set name="KeyStorePassword">secret123</Set>
    <Set name="KeyManagerPassword">secret123</Set>
    <Set name="TrustStore"><Property name="jetty.home" default="." />/etc/keystore</Set>
    <Set name="TrustStorePassword">secret123</Set>
  </New>

  <Call name="addConnector">
    <Arg>
      <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
        <Arg><Ref id="sslContextFactory" /></Arg>
        <Set name="Port">8443</Set>
        <Set name="maxIdleTime">30000</Set>
        <Set name="Acceptors">2</Set>
        <Set name="AcceptQueueSize">100</Set>
      </New>
    </Arg>
  </Call>

SSLing your desktop / iOS client

Copy your certificate.crt and certificate.key to the following folder:

Windows: C:\Program Files (x86)\farmerswife Server\html_templates\http_session\ssl_certs\

Mac and Linux: /path/to/your/farmerswife Server/html_templates/http_session/ssl_certs/

Rename the already existing server.pem and skey.pem to server.pem.old and skey.pem.old in order to rename certificate.crt as server.pem and certificate.key as skey.pem.

Once SSLed you will have the following ports:

  • Server port: 22000 TCP over TLS
  • File transfer port: 24000 TCP
  • iOS Port: 25000 XML over HTTPS
  • Web client port: 26000 HTTP
  • SSLed Web client port: 8443 over HTTPS
  • Mobile web client: 26000 HTTP
  • SSLed Mobile web client over SSL: 8443 over HTTPS
  • WebCal port: 27000 HTTP

In case you have to provide a CSR to generate your SSL

Windows: C:\Program Files\Java\jre_installedversion\bin>.\keytool.exe -genkey -keyalg RSA -keysize 2048 -dname "cn=farmerswife.example.com, o=Farmers WIFE S.L., c=ES" -alias farmerswife.example.com -keystore keystore -keypass secret123 -storepass secret123 -validity 1095

Mac and Linux: keytool -genkey -keyalg RSA -keysize 2048 -dname "cn=farmerswife.example.com, o=Farmers WIFE S.L., c=ES" -alias farmerswife.example.com -keystore keystore -keypass secret123 -storepass secret123 -validity 1095

Note: validity here means from “today” up-to/including the day the certificate expires.

Now create a CA-request that you will later upload on your provider website:

Windows: C:\Program Files\Java\jre_installedversion\bin>.\keytool.exe -certreq -alias farmerswife.example.com -file farmerswife.example.com.txt -keypass secret123 -keystore keystore -storepass secret123

Mac and Linux: keytool.exe -certreq -alias farmerswife.example.com -file farmerswife.example.com.txt -keypass secret123 -keystore keystore -storepass secret123

Once done you will obtain a PEM that you need to rename to server.pem. This will be the server.pem you will use for the desktop client. Then import it to the keystore:

Windows: C:\Program Files\Java\jre_installedversion\bin>.\keytool.exe -keystore keystore -importcert -alias farmerswife.example.com -file server.pem -trustcacerts -keypass secret123 -storepass secret123

Mac and Linux: keytool.exe -keystore keystore -importcert -alias farmerswife.example.com -file server.pem -trustcacerts -keypass secret123 -storepass secret123

Now extract the private key as skey.pem to use it for the desktop client:

Windows: C:\Program Files\Java\jre_installedversion\bin>.\keytool.exe -v -importkeystore -srckeystore keystore -srcalias farmerswife.example.com -destkeystore skey.p12 -deststoretype PKCS12

Mac and Linux: keytool.exe -v -importkeystore -srckeystore keystore -srcalias farmerswife.example.com -destkeystore skey.p12 -deststoretype PKCS12

Then move the file skey.p12 to the following folder to execute the command:

Windows: C:\Program Files (x86)\farmerswife Server\lib\openssl\openssl.exe pkcs12 -in skey.p12 -nodes -nocerts -out skey.pem

Mac and Linux: openssl pkcs12 -in skey.p12 -nodes -nocerts -out skey.pem

And finally rename the already existing server.pem and skey.pem to server.pem.old and skey.pem.old. This way you can move server.pem and skey.pem to this folder:

Windows: C:\Program Files (x86)\farmerswife Server\html_templates\http_session\ssl_certs\

Mac and Linux: /path/to/your/farmerswife Server/html_templates/http_session/ssl_certs/

Depending on the certificate you apply you may need to also import the cacert file from your provider, so you just need to do the following before moving the certificates to their places:

Windows: C:\Program Files\Java\jre_installedversion\bin>.\keytool.exe -import -trustcacerts -keystore keystore -storepass secret123 -alias farmerswife.example.com -import -file providerCAcert.txt

Mac and Linux: keytool -import -trustcacerts -keystore keystore -storepass secret123 -alias farmerswife.example.com -import -file providerCAcert.txt

Once SSLed you will have the following ports:

  • Server port: 22000 TCP over TLS
  • File transfer port: 24000 TCP
  • iOS Port: 25000 XML over HTTPS
  • Web client port: 26000 HTTP
  • SSLed Web client port: 8443 over HTTPS
  • Mobile web client: 26000 HTTP
  • SSLed Mobile web client over SSL: 8443 over HTTPS
  • WebCal port: 27000 HTTP

Modifying farmerswife server config to add https to the URL’s

To automatically add the https to the URL’s generated by the farmerswife server you need to add one parameter to the server through the file server.cfg located inside the system folder on your farmerswife server installation:

Windows: C:\Program Files (x86)\farmerswife Server\system\

Mac and Linux: /path/to/your/farmerswife Server/system/

In case you don’t have this special file you need to create a new one with the following value:

HTTP_HOME https://farmerswife.example.com

You will find more information in the section “Running a separate TEST WIFE Server” in our release notes.

The point of using this configuration file instead of the server setup is because the field “Url To Server” only accepts URL strings beginning with “http://” due to legacy reasons.

Troubleshooting

In case something fails during the process please check the following logs, the following are the logs of the farmerswife server application:

Windows: C:\Program Files (x86)\farmerswife Server\system\log.txt

Mac and Linux: /path/to/your/farmerswife Server/system/log.txt

And this one is for the web / mobile web server:

Windows: C:\Program Files (x86)\farmerswife Server\lib\jetty\logs\yyyy_mm_dd.stderrout.log

Mac: /path/to/your/farmerswife Server/Contents/lib/jetty/logs/yyyy_mm_dd.stderrout.log

Linux: /path/to/your/farmerswife Server/lib/jetty/logs/yyyy_mm_dd.stderrout.log

How to upgrade your SSLed farmerswife system

Before upgrading your farmerswife server you will need to make a backup of the following files:

  • jetty.xml
  • keystore
  • server.pem
  • skey.pem

The reason is that the server installation process for the upgrade will overwrite those files, so after the upgrade you just need to copy the backup in its original place.

On mac you will need to manually copy those files together with your system folder to the new server application downloaded.

SSLing the Proxy WIFE Server

To add an SSL to a farmerswife server in proxy mode you just need to follow the same steps as SSLing a regular farmerswife server.

If you want to know how to setup a farmerswife server in proxy mode to put it in the DMZ zone in your network please refer to the following article <link>.

Use a third party proxy service to apply your SSL certificates

You can use a third party software for example F5, HAproxy or NGINX to use ports 80, 443 or the regular farmerswife server ports to apply your own SSL certificate. In case you prefer to use subdomains for proxying each service, for example ios.farmerswife.example.com or web.farmerswife.example.com, instead of just using the proxy for the regular ports, you need to change the setting for the file transfer port and click on the port field, then in the pop up click on the field “Proxy port”  to add the proxied port, otherwise it won't work. Another reason is that with this set up you will not need to upgrade the clients manually. 

To learn how to use the third party software NGINX to create a proxy server to the farmerswife system click on the link: click here

Did you find it helpful? Yes No