LetsEncrypt

letsencrypt offers free HTTPS certificates with the limitation that you need to set them up to auto renew every ~3 months. Below are some example scripts that last of which should be called from cron.

Settings

DOMAIN=noodle.example.com
EMAIL=me@example.com
PASS=example
DIR=/opt/Noodle/ACME
JKS=/opt/Noodle/noodle.jks

Initialize

. /opt/Noodle/settings.sh
apt install -y certbot
systemctl disable certbot
mkdir $DIR
certbot register --agree-tos --no-eff-email -m "$EMAIL"
certbot certonly --webroot \
	--webroot-path $DIR \
	--cert-name "$DOMAIN" \
	-d "$DOMAIN"
/opt/Noodle/convert.sh

Convert

. /opt/Noodle/settings.sh
P12=$(mktemp)
rm -f "$JKS"
openssl pkcs12 -export \
	-in /etc/letsencrypt/live/"$DOMAIN"/cert.pem \
	-inkey /etc/letsencrypt/live/"$DOMAIN"/privkey.pem \
	-certfile /etc/letsencrypt/live/"$DOMAIN"/fullchain.pem \
	-name "$DOMAIN" \
	-out "$P12" \
	-password "pass:$PASS"
keytool -genkeypair \
	-alias temp \
	-storetype JKS \
	-keystore $JKS \
	-storepass "$PASS" \
	-keypass "$PASS" \
	-dname "CN=temp, OU=temp, O=temp, L=temp, S=temp, C=CA"
keytool -delete \
	-alias temp \
	-keystore $JKS \
	-storepass "$PASS"
keytool -importkeystore \
	-srckeystore "$P12" \
	-srcstoretype pkcs12 \
	-destkeystore $JKS \
	-deststoretype JKS \
	-srcstorepass "$PASS" \
	-deststorepass "$PASS"
rm "$P12"

Renew

. /opt/Noodle/settings.sh
certbot renew --webroot \
	--webroot-path $DIR \
	--cert-name "$DOMAIN" \
	--deploy-hook /opt/Noodle/convert.sh

Currently Noodle must be restarted to reload the keystore.