Category Archives: Linux

My Play Framework logrotate configuration

Here is another script I need to keep handy for the future. My logrotate script for Play Framework applications. The important thing here is the parameter “copytruncate”. I tried many times without it and the result was always the same: after the logrotate was done no more logging was made by the application. “copytruncate” solved this

/opt/myapp/logs/*.log {
  missingok
  notifempty
  size 50M
  copytruncate
  create 0644 root root
  rotate 9999
}

How to run logrotate manually:

logrotate --force /etc/logrotate.d/myapp

Tested on Ubuntu 14.04 and Play Framework 2.3

My Play Framework Upstart script

Recently I had to create a upstart script for a Play application and this was the result of that. I put it here so I don’t have to start from scratch next time 🙂

########################################################################################################
#
#                                       Upstart Script
#
# Upstart script for a play application. Put this into a file like /etc/init/myapp.conf
#
# This could be the foundation for pushing play apps to the server using something like git-deploy
# By calling service play stop in the restart command and play-start in the restart command.
#
# Usage:
#   sudo start myapp
#   sudo stop myapp
#   sudo restart myapp
#   sudo status myapp
#
#########################################################################################################
 
description "Upstart script for MyApp"
author "Niklas Ottosson"
version "1.0"
 
# Set environment variables
env HOME=/my/app/dir/
env LANG=en_US.UTF-8
 
# Start and stop runlevels
start on runlevel [2345]
stop on runlevel [06]
 
# Respawn parameters with limit: dies 3 times within 60 seconds
respawn
respawn limit 3 60
 
# Change directory to current version of Tankmin
chdir /my/app/dir/
 
# Delete any stray PIDs
pre-start script
  rm -f ${HOME}/RUNNING_PID
end script
 
# Upstart logging (/var/log/upstart/myapp.log)
console none
 
# TEST ENVIRONMENT (arguments here are what I'm using for this particular app - you should use what works best for your app)
exec bin/myapp -J-Xms256M -J-Xmx768m -J-server -Dhttp.port=80 -Dconfig.file=conf/application.conf -Dlogger.file=conf/application-logger_PROD.xml

Tested in a production environment on Ubuntu 14.04 and Play Framework 2.3

SSL Certificates: From CSR to a JKS storage

I have started doing this quite a lot these days so I’d better put a post up here to get rid of all the Google searching 🙂 It’s not that complicated but I know I will forget if I don’t do it for a while.

Let’s start with creating the CSR
First we create a key

openssl genrsa -out domain.com.key 2048

This will create a private key called domain.com.key and with a key size of 2048 bits

Now it’s time to create the CSR

openssl req -new -sha256 -key domain.com.key -out domain.com.csr

When creating a CSR you need to input some details about the site/organisation that are going to use the certificate, eg.:

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:my.domain.name
Email Address []:admin@domain.name

Out of these questions there is one that is CRUCIAL and that is the Common Name. For an SSL certificate this HAS to be the domain name with or without a subdomain that the certificate is going to be valid for, so if the URL that is called my.domain.com the Common Name should be “my.domain.com” and if it is called domain.com the Common Name should be “domain.com”

After these questions have been answered the openssl program creates a CSR file called domain.com.csr that we can send to our certificate supplier (DigiCert/Go-Daddy/Amazon and many others). The supplier will then get back to us with a certificate, root certificate and maybe some intermediate certificates

When we have received the certificates from our supplier it is time to start assembling the signed key .p12 file. For this we use the domain.crt (supplier) and domain.com.key_nopasswd (same key we created in the beginning) files.

First we remove any password from the key file (depending on application this might not always be necessary)

openssl rsa -in domain.com.key -out domain.com.key_nopasswd

You will be prompted for the password of your .key file

Once the key file is without a password we can create the .p12 file

openssl pkcs12 -export -name somename -in domain.crt -inkey domain.com.key_nopasswd -out keystore.p12

Now we have the .p12 file. Time to put it into the jks container

keytool -importkeystore -destkeystore mykeystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias somealias

Lastly we need the CA and any intermediate certificates (one command run per certificate file)

keytool -import -keystore mykeystore.jks -file someca.crt -alias someotheralias

The jks is now ready for use!

Tested on Ubuntu 16.04 (AWS) and Play Framework 2.3