Remove ACME / TLS certification related code

Have decided to just handle TLS / HTTPS configuration external to this server.

Fix #289

Author: BryceStevenWilley

Dockerfile

@@ -2,7 +2,7 @@ FROM maven:3.8-eclipse-temurin-21 AS build
 ARG CI_COMMIT_SHA
 LABEL git-commit=$CI_COMMIT_SHA
 # The `[]` is an optional COPY: doesn't copy if those files aren't there (https://stackoverflow.com/a/46801962/11416267)
-# They are needed for Tyler API usage, and serving the REST API as HTTPS
+# They are needed for Tyler API usage
 COPY pom.xml /app/
 COPY TylerEcf4 /app/TylerEcf4/
 COPY TylerEcf5 /app/TylerEcf5/
@@ -13,7 +13,7 @@ RUN mvn -f /app/pom.xml -DskipTests clean dependency:resolve dependency:go-offli
 
 COPY proxyserver /app/proxyserver
 RUN mvn -f /app/pom.xml -DskipTests package -PnoDockerTests -Dbuild.revision=$CI_COMMIT_SHA && cp /app/proxyserver/target/efspserver-with-deps.jar /app/
-COPY LICENSE client_sign.propertie[s] quartz.properties Suffolk.pf[x] acme_user.ke[y] acme_domain.ke[y] acme_domain-chain.cr[t] extract-tls-secrets-4.0.0.ja[r] jacocoagent.ja[r] /app/
+COPY LICENSE client_sign.propertie[s] quartz.properties Suffolk.pf[x] extract-tls-secrets-4.0.0.ja[r] jacocoagent.ja[r] /app/
 COPY docker_run_dev.sh /app/
 
 EXPOSE 9000
@@ -25,8 +25,8 @@ LABEL git-commit=$CI_COMMIT_SHA
 COPY --from=build  /app/proxyserver/target/efspserver-with-deps.jar /app/
 COPY --from=build  /app/proxyserver/src/main/config /app/src/main/config/
 # The `[]` is an optional COPY: doesn't copy if those files aren't there (https://stackoverflow.com/a/46801962/11416267)
-# They are needed for Tyler API usage, and serving the REST API as HTTPS
-COPY LICENSE client_sign.propertie[s] quartz.properties Suffolk.pf[x] acme_user.ke[y] acme_domain.ke[y] acme_domain-chain.cr[t] /app/
+# They are needed for Tyler API usage
+COPY LICENSE client_sign.propertie[s] quartz.properties Suffolk.pf[x] /app/
 COPY docker_run_script.sh fly_startup_script.sh /app/
 
 EXPOSE 9000

dev-compose.yml

@@ -11,16 +11,11 @@ services:
     ports: !override
       - target: 9009
         published: 9100
-      - target: 9000
-        published: 9101
     extra_hosts:
       - "host.docker.internal:host-gateway"
     depends_on:
       - "db"
     volumes:
-      - type: bind
-        source: ./proxyserver/src/main/config
-        target: /tmp/tls_certs
       # Gets exact SOAP envelopes sent when running locally with wireshark
       - type: bind
         source: .

docker-compose.yml

@@ -9,15 +9,9 @@ services:
     ports:
       - target: 9009
         published: 80
-      - target: 9000
-        published: 443
     env_file: .env
     depends_on:
       - "db"
-    volumes:
-      - type: bind
-        source: ./proxyserver/src/main/config
-        target: /tmp/tls_certs
     deploy:
       resources:
         limits:
@@ -28,7 +22,7 @@ services:
     env_file: .env
     volumes:
       - data-volume:/var/lib/postgresql/data
-      - ./postgres-config:/etc/postgresql
+      - ./config/postgres-config:/etc/postgresql
 
 volumes:
   data-volume:

docs/README.md

@@ -70,28 +70,8 @@ docker compose -f dev-compose.yml down
 
 ### Docassemble
 
-If you are running the docker container on the same machine as docassemble, you will likely need to add the following changes to your EfileProxyServer repo:
-
-```diff
-diff --git a/docker-compose.yml b/docker-compose.yml
-index 1617ba05..776776b6 100644
---- a/docker-compose.yml
-+++ b/docker-compose.yml
-@@ -6,9 +6,9 @@ services:
-     # Necessary b/c docassemble is external to the docker network
-     ports:
-       - target: 9009
--        published: 80
-+        published: 9000
-       - target: 9000
--        published: 443
-+        published: 9001
-     env_file: .env
-     depends_on:
-       - "db"
-```
-
-This allows both docassemble and the proxy server to run on the same machine (by default both use the default HTTP and HTTPS ports, 80 and 443).
+If you are running the docker container on the same machine as docassemble, use the `-f dev-compose.yml` command
+above to allow this server and docassemble to use different HTTP ports.
 
 To communicate with the Efile Proxy Server from docassemble using the [EFSPIntegration package](https://github.com/SuffolkLITLab/docassemble-EFSPIntegration), you will need to add some config values in docassemble's config:
 

docs/https.md

@@ -5,76 +5,6 @@ can read the sensitive information passed to the proxy server in plaintext.
 
 For a simple explainer, see [Julia Evan's Twitter comic about it](https://twitter.com/b0rk/status/809594614147645440/photo/1).
 
-## Getting a Certificate
-
-The first of two steps to using HTTPS is actually getting a signed TLS certificate from a certificate signer.
-
-### Using Let's Encrypt and ACME
-
-We've integrated [Let's Encrypt](https://letsencrypt.org/) support into our server with the [ACME protocol](https://letsencrypt.org/how-it-works/), using [acme4j](https://github.com/shred/acme4j).
-
-We are still working to improve the steps, but current the process is:
-
-1. In your `.env` file, set `USE_LETSENCRYPT=True`, and `CERT_PASSWORD` to a securely generated password, at least 16 characters.
-   Something like `openssl rand -base64 12` will generate 16 characters securely.
-   * You can also set a `MONITORING_EMAIL` which will be used for email renewal reminders from Lets Encrypt.
-2. Start up the docker containers (see [setup.md](setup.md)).
-3. Start a shell inside the running container: `docker exec -it efileproxyserver-efspjava-1 /bin/sh`
-4. Change directories to the app: `cd /app`.
-5. Run the ACME renewal process: `java -cp efspserver-with-deps.jar edu.suffolk.litlab.efsp.server.services.acme.AcmeRenewal renew`.
-   If the renewal process succeeded, `acme-domain-chain.crt` and `tls_server_cert.jks`
-   should both be present in `/tmp/tls_certs` inside the container and in `src/main/config` outside the container.
-6. Exit the shell you started, and rebuild and restart the java docker container.
-
-The newly started container should be able to serve HTTPS correctly!
-
-### (Not preferred) From a Certificate Authority
-
-This was the original way we did things, but Let's Encrypt is currently simpler and more secure than
-sending around important certificates files. If Let's Encrypt doesn't work for your organization,
-you can follow the below steps that we took when we set up HTTPS using a purchased signed certificate.
-
-You can purchase TLS Certificates from providers directly, (for example, [from namecheap](https://www.namecheap.com/security/ssl-certificates/)). You should receive the following files:
-* a bundle of certificate authorities who make up the chain of CAs who signed your certificate. In our case, this had a `*.ca-bundle` extension.
-* The signed certificate for your website. In our case, this had a `*.crt` extension.
-* The private key for your website, sometimes called the domain key. In our case, this had a `*.key` extension.
-
-Once you have those three things, you need to turn convert them into the Java Key Store (JKS) format, which the server can read. You can follow the below steps in a shell with `openssl` and `keytool` installed:
-
-```bash
-# Add the full list of CA signers to the cert. Going to the root signer means it's more likely
-# for the server to be trusted. Not always necessary, but was in our case.
-cat my_domain.ca-bundle my_domain.crt > my_domain.crt
-openssl pkcs12 -export -in my_domain.crt -inkey my_domain.key -out my_domain.p12
-keytool -importkeystore -srckeystore my_domain.p12 -srcstoretype PKCS12 -destkeystore my_domain.jks -deststoretype JKS
-```
-
-Refer to the sources below if you need more details:
-* ["Java TLS with Keystores" cheat-sheet](https://stackoverflow.com/a/41469242/11416267)
-* [Install a Tomcat cert](https://www.tbs-certificates.co.uk/FAQ/en/ajouter-certificat-intermediaire-keystore-java.html)
-* [How to convert \*.crt and \*.key to \*.jks](https://community.datarobot.com/t5/data-prep/how-to-convert-crt-and-key-to-jks-file/td-p/6342)
-
-
-## Developer Notes: Using the cert in the CXF Server
-
-Once you have the cert, you need to set up the CXF server properly to use it. To do so,
-[ServerConfig.xml](https://github.com/SuffolkLITLab/EfileProxyServer/blob/4a25a9f30d7d74d9e0828d142f6b908e1a3532ec/src/main/config/ServerConfig.xml#L33)
-needs to point to the `*.jks` file.
-
-See the following files and their code comments for the current setup.
-
-* [EfspServer.java](https://github.com/SuffolkLITLab/EfileProxyServer/blob/main/src/main/java/edu/suffolk/litlab/efsp/server/EfspServer.java)
-* [ServerConfig.xml](https://github.com/SuffolkLITLab/EfileProxyServer/blob/main/src/main/config/ServerConfig.xml)
-  * The ServerConfig.xml shouldn't use the `clientAuthentication` elem, as it expects our connecting clients to also have a TLS cert, which isn't how HTTPS traffic usually works.
-* [HttpsCallbackHandler.java](https://github.com/SuffolkLITLab/EfileProxyServer/blob/main/src/main/java/edu/suffolk/litlab/efsp/server/utils/HttpsCallbackHandler.java)
-* [ServiceHelpers.java](https://github.com/SuffolkLITLab/EfileProxyServer/blob/main/src/main/java/edu/suffolk/litlab/efsp/server/utils/ServiceHelpers.java#L74)
-  * The external address (i.e `ServerFactoryBean.setAddress`) needs to be `https://`, not `http://`. We use `CERT_PASSWORD` to determine if someone is trying to run with TLS, and if no `CERT_PASSWORD` is present, we use `http://`.
-
-
-The following CXF documentation pages have more information, but are kinda sparse:
-
-* [https://cxf.apache.org/docs/secure-jax-rs-services.html#SecureJAXRSServices-Configuringendpoints]
-* [https://cwiki.apache.org/confluence/display/CXF20DOC/TLS+Configuration]
-* [https://cxf.apache.org/docs/standalone-http-transport.html]
-* [http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/]
-
+We previously had [custom code to retrieve certs](https://github.com/SuffolkLITLab/EfileProxyServer/blob/b287ed3fe42e71458b8a594d0287d542b6f6035e/docs/https.md#getting-a-certificate), but now use our hosting provider, fly, to [generate certs for us](https://fly.io/docs/flyctl/certs/). We recommend something similar for folks looking to run
+their own version of this server. If your hosting provider doesn't provide certs, you can
+look into using [nginx and letsencrypt together](esc.sh/blog/lets-encrypt-and-nginx-definitive-guide/) as a reverse proxy for this server.

env.example

@@ -1,10 +1,6 @@
 # An example .env file, which is used by the docker compose container.
 # Copy this file, rename it to `.env`, and edit your copy to use it.
 
-# Password for the HTTPS certificate. NOT the same as Tyler's X509_PASSWORD
-CERT_PASSWORD=
-# If true, will try to use lets encrypt to get a certificate
-USE_LETSENCRYPT=True
 # The URL that the external clients see when talking to the proxy server
 EXTERNAL_DOMAIN=efile.example.com
 TZ=America/New_York

proxyserver/pom.xml

@@ -23,7 +23,6 @@
         <slf4j.version>2.0.7</slf4j.version>
         <jackson.version>2.14.2</jackson.version>
         <bouncycastle.version>1.81</bouncycastle.version>
-        <acme4j.version>2.16</acme4j.version>
         <testcontainers.version>1.18.0</testcontainers.version>
         <jacoco.skip>false</jacoco.skip>
         <skipTestsOnBuild>true</skipTestsOnBuild>
@@ -215,16 +214,6 @@
             <artifactId>postgresql</artifactId>
             <version>42.5.4</version>
         </dependency>
-        <dependency>
-            <groupId>org.shredzone.acme4j</groupId>
-            <artifactId>acme4j-client</artifactId>
-            <version>${acme4j.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.shredzone.acme4j</groupId>
-            <artifactId>acme4j-utils</artifactId>
-            <version>${acme4j.version}</version>
-        </dependency>
         <dependency>
             <groupId>com.hubspot</groupId>
             <artifactId>algebra</artifactId>

proxyserver/src/main/config/ServerConfig.xml

@@ -11,7 +11,6 @@
 import edu.suffolk.litlab.efsp.docassemble.DocassembleToFilingInformationConverter;
 import edu.suffolk.litlab.efsp.ecfcodes.tyler.CodeDatabase;
 import edu.suffolk.litlab.efsp.server.auth.SecurityHub;
-import edu.suffolk.litlab.efsp.server.services.AcmeChallengeService;
 import edu.suffolk.litlab.efsp.server.services.ApiUserSettingsService;
 import edu.suffolk.litlab.efsp.server.services.AuthenticationService;
 import edu.suffolk.litlab.efsp.server.services.JurisdictionServiceHandle;
@@ -22,7 +21,6 @@
 import edu.suffolk.litlab.efsp.server.setup.EfmRestCallbackInterface;
 import edu.suffolk.litlab.efsp.server.setup.jeffnet.JeffNetModuleSetup;
 import edu.suffolk.litlab.efsp.server.setup.tyler.TylerModuleSetup;
-import edu.suffolk.litlab.efsp.server.utils.HttpsCallbackHandler;
 import edu.suffolk.litlab.efsp.server.utils.JsonExceptionMapper;
 import edu.suffolk.litlab.efsp.server.utils.ObservabilityHeadersInterceptor;
 import edu.suffolk.litlab.efsp.server.utils.ObservabilityResetInterceptor;
@@ -32,7 +30,6 @@
 import edu.suffolk.litlab.efsp.server.utils.SoapExceptionMapper;
 import edu.suffolk.litlab.efsp.utils.InterviewToFilingInformationConverter;
 import jakarta.ws.rs.core.MediaType;
-import java.io.File;
 import java.security.NoSuchAlgorithmException;
 import java.sql.Connection;
 import java.sql.SQLException;
@@ -42,11 +39,7 @@
 import java.util.Map;
 import java.util.Optional;
 import java.util.function.Supplier;
-import javax.annotation.Nullable;
 import javax.sql.DataSource;
-import org.apache.cxf.Bus;
-import org.apache.cxf.BusFactory;
-import org.apache.cxf.bus.spring.SpringBusFactory;
 import org.apache.cxf.endpoint.Server;
 import org.apache.cxf.jaxrs.JAXRSServerFactoryBean;
 import org.apache.cxf.jaxrs.lifecycle.SingletonResourceProvider;
@@ -59,43 +52,15 @@ public class EfspServer {
   private static Logger log = LoggerFactory.getLogger(EfspServer.class);
 
   private JAXRSServerFactoryBean sf;
-  private JAXRSServerFactoryBean acmeSf;
   private Server server;
-  private Server acmeServer;
-
-  private static final File CERT_KEY_STORE = new File("src/main/config/tls_server_cert.jks");
-
-  // BusFactory.setDefaultBus needs to happen before other CXF code, so use a static block
-  static {
-    // Creating the Bus will immediately unlock the JKS file in `ServerConfig.xml`, so we set
-    // CallbackHandler's CertPassword before we create the factory.
-    Optional<String> certPassword = GetEnv("CERT_PASSWORD");
-    if (certPassword.isPresent() && CERT_KEY_STORE.isFile()) {
-      HttpsCallbackHandler.setCertPassword(certPassword.get());
-      SpringBusFactory factory = new SpringBusFactory();
-      Bus bus = factory.createBus("src/main/config/ServerConfig.xml");
-      // bus.setProperty(HttpServerEngineSupport.ENABLE_HTTP2, true);
-      BusFactory.setDefaultBus(bus);
-    } else {
-      if (certPassword.isEmpty()) {
-        log.warn("Didn't enter a CERT_PASSWORD. Falling back to HTTP. Did you pass an .env file?");
-      }
-      if (!CERT_KEY_STORE.isFile()) {
-        log.warn(
-            CERT_KEY_STORE.getAbsolutePath()
-                + " doesn't exist, needed to run HTTPS. Falling back to HTTP.");
-      }
-    }
-  }
 
   protected EfspServer(
       DataSource codeDs,
       DataSource userDs,
       OrgMessageSender sender,
       List<EfmModuleSetup> modules,
       SecurityHub security,
-      Map<String, InterviewToFilingInformationConverter> converterMap,
-      @Nullable AcmeChallengeService challengeService)
+      Map<String, InterviewToFilingInformationConverter> converterMap)
       throws SQLException, NoSuchAlgorithmException {
 
     var jurisdictionMap = new HashMap<String, JurisdictionServiceHandle>();
@@ -127,15 +92,6 @@ protected EfspServer(
     services.put(
         JurisdictionSwitch.class,
         new SingletonResourceProvider(new JurisdictionSwitch(jurisdictionMap)));
-    if (challengeService != null && !ServiceHelpers.BASE_ACME_URL.isBlank()) {
-      services.put(AcmeChallengeService.class, new SingletonResourceProvider(challengeService));
-      acmeSf = new JAXRSServerFactoryBean();
-      acmeSf.setResourceClasses(AcmeChallengeService.class);
-      acmeSf.setResourceProvider(
-          AcmeChallengeService.class, new SingletonResourceProvider(challengeService));
-      acmeSf.setAddress(ServiceHelpers.BASE_ACME_URL);
-      acmeServer = acmeSf.create();
-    }
 
     sf = new JAXRSServerFactoryBean();
     sf.setResourceClasses(new ArrayList<Class<?>>(services.keySet()));
@@ -157,10 +113,6 @@ protected void stopServers() {
       server.stop();
       server.destroy();
     }
-    if (acmeServer != null) {
-      acmeServer.stop();
-      acmeServer.destroy();
-    }
   }
 
   /**
@@ -286,15 +238,7 @@ public static void main(String[] args) throws Exception {
     log.info("Starting Server with the following Filers: {}", modules);
 
     SecurityHub security = new SecurityHub(userDs, tylerEnv, jurisdictions);
-    AcmeChallengeService challengeService = null;
-    boolean useLetsEncrypt =
-        GetEnv("USE_LETSENCRYPT").map(str -> Boolean.parseBoolean(str)).orElse(false);
-    if (useLetsEncrypt) {
-      log.info("Using lets encrypt!");
-      challengeService = new AcmeChallengeService();
-    }
-    EfspServer server =
-        new EfspServer(codeDs, userDs, sender, modules, security, converterMap, challengeService);
+    EfspServer server = new EfspServer(codeDs, userDs, sender, modules, security, converterMap);
 
     Runtime.getRuntime()
         .addShutdownHook(