Problem
Oracle EM Express provided by
Oracle XML DB
(by enhancements in Oracle Database 12c)
is securing HTTPS connections by a self-signed certificate in ${ORACLE_BASE}/admin/${ORACLE_SID}/xdb_wallet
.
The certificate in the wallet is generated, if it does not exist or is not valid, by exec dbms_xdb_admin.installdefaultwallet;
with a randomly generated password.
Fix
A User-defined Let’s Encrypt Certificate
Currently, any user-defined certificate/wallet is replaced by a new default generated wallet due to bug 21959488.
#!/bin/sh
LEDIR="/etc/letsencrypt/live/${HOSTNAME}"
NAME="${ORACLE_SID}" # the unique database name
EWALLETDIR="${ORACLE_BASE}/admin/${NAME}/xdb_wallet" # XDB wallet is stored here
EWALLET=ewallet.p12
PASS=1a2b3c4d
ROOTFILE=root.pem
INTERMEDIATEFILE=intermediate.pem
ORAPKI="${ORACLE_HOME}/bin/orapki"
# create a PKCS12 wallet with a user certificate
openssl pkcs12 -export -in "${LEDIR}/cert.pem" -inkey "${LEDIR}/privkey.pem" -out "${EWALLET}" -name "${NAME}" -password "pass:${PASS}"
# add a trusted self-signed root certificate into the wallet
wget -O "${ROOTFILE}" "https://letsencrypt.org/certs/isrgrootx1.pem.txt"
${ORAPKI} wallet add -wallet "${EWALLETDIR}" -pwd "${PASS}" -cert "${ROOTFILE}" -trusted_cert
# add a trusted intermidiate certificate into the wallet
wget -O "${INTERMEDIATEFILE}" "https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt"
${ORAPKI} wallet add -wallet "${EWALLETDIR}" -pwd "${PASS}" -cert "${INTERMEDIATEFILE}" -trusted_cert
# enable auto-login by the wallet
${ORAPKI} wallet create -wallet "${EWALLETDIR}" -pwd "${PASS}" -auto_login
# display the wallet
${ORAPKI} wallet display -wallet "${EWALLETDIR}" -pwd "${PASS}" -complete
Disable HSTS in a Web-browser
Delete EM domain name in HTTP Strict Transport Security Settings.