I have Ubuntu 18.04 LTS and installed the repository Jetty: 9.4.15-1~18.04.1ubuntu1. I have managed to configure DNS and am able to read off of port 80 using AUTHBIND.
But I am very confused about how to set up https. A lot of the confusion is probably because of difference between the Jetty documentation (which assumes installation via wget) and the way that Ubuntu/Jetty distribution is spread out over many different directories and implemented as a systemd service.
1)
To create the keystore, I am using CertBot (a wrapper for Let's Encrypt), and AFAIK successfully created a PKCS12 file using the instructions at "Loading Keys and Certificates via PKCS12"
The commands were:
$ openssl pkcs12 -inkey jetty.key -in jetty.crt -export -out jetty.pkcs12
$ keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore
Now, I am not clear where to put the "keystore" file that I created.
The documentation, a little ways below refers to the location $JETTY/etc/keystore. With Ubuntu 18.04, we have /etc/jetty9 file folder that holds start.ini, a start.d directory and many .xml files. Should the "keystore" file reside there?
Further down, a reference is made to "Configuring the Jetty SslContextFactory", where there is mentioned a property(?) "setKeyStorePath" but no examples. Is this a reference to and edit to be made in the XML file jetty-https.xml, or is it to an edit to be made in https.ini?
There is a warning note: "As a keystore is vital security information, it can be desirable to locate the file in a directory with very restricted access." The directory /etc/jetty9 is NOT particularly well protected.
2)
I have tried to generate an https.ini file but am failing.
Ubuntu repository's Jetty was automatically set up as a systemd service. The $JETTY_HOME is declared to be /usr/share/jetty9, and this directory contains a symlink to start.jar. The systemd configuration file does NOT declare a $JETTY_BASE. There is a reference to the directory /var/lib/jetty9, which holds the /webapps directory. But there is neither a start.ini file nor a start.d directory in this location. (Should there be?)
In order to generate an https.ini, or have it added to start.ini, I have tried:
/var/lib/jetty9$ java -jar /usr/share/jetty9/start.jar --add-to-start=https
also
/etc/jetty9$ jar -jar /usr/share/jetty9/start.jar --add-to-start=https
But in both cases, I get the error message:
ERROR : Unknown module='deploy'. List available with --list-modules
I'm guessing this has to do with a reference to the "deploy" module in /etc/jetty9/start.ini (copied below):
start.ini
#------------------------------------------------------------------------------
#
# Jetty Startup Configuration
#
# This file contains the default settings for Jetty and configures a basic
# Servlet container with JSP and WebSocket enabled. Customized settings can
# be added to .ini files in the /etc/jetty9/start.d directory to avoid
# conflicts when updating the package.
#
#------------------------------------------------------------------------------
--module=deploy,http,jsp,jstl,websocket,ext,resources
##
## HTTP Connector Configuration
##
# What host to listen on (leave commented to listen on all interfaces)
#jetty.host=myhost.com
# HTTP port to listen on
# Enable authbind in /etc/default/jetty9 to use a port lower than 1024
jetty.port=80
# HTTP idle timeout in milliseconds
http.timeout=30000
##
## Server Threading Configuration
##
# minimum number of threads
threads.min=10
# maximum number of threads
threads.max=200
# thread idle timeout in milliseconds
threads.timeout=60000
The advice in the first comment in this start.ini confuses me. The jetty documentation clearly states one should NOT have both a start.ini and a start.d at the same time.
Some assistance would be much appreciated. I'm wondering if I should just chuck the Ubuntu Jetty and load the current version via wget. At least then, the documentation would be better aligned.
Thanks!
