Setting up ssl certificate on Wildfly 19 using letencrypt certificate

Question

I am trying to implement the SSL certificate on the wildfly 19.0.0-Final, running on CentOS centos-release-7-7.1908.0.el7.centos.x86_64 with Java openjdk version "1.8.0_242" OpenJDK Runtime Environment (build 1.8.0_242-b08) OpenJDK 64-Bit Server VM (build 25.242-b08, mixed mode)

I have performed the following steps to map say https://www.example.com domain to my wildfly content payslip

I have my keystore at the following location: /opt/wildfly-19.0.0.Final/standalone/configuration/www.example.com.jks

Adding certificate to server. http://www.mastertheboss.com/jboss-server/jboss-security/complete-tutorial-for-configuring-ssl-https-on-wildfly

Login to management console at sh /opt/wildfly-19.0.0.Final/bin/jboss-cli.sh Connect

Then run the following script

batch
# Configure Server Keystore
/subsystem=elytron/key-store=demoKeyStore:add(path=server.keystore,relative-to=jboss.server.config.dir, credential-reference={clear-text=secret},type=JKS)
# Server Keystore credentials  
/subsystem=elytron/key-manager=demoKeyManager:add(key-store=demoKeyStore,credential-reference={clear-text=secret})
# Server keystore Protocols  
/subsystem=elytron/server-ssl-context=demoSSLContext:add(key-manager=demoKeyManager,protocols=["TLSv1.2"]) 
# This is only needed if WildFly uses by default the Legacy security realm
/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
# Store SSL Context information in undertow
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=demoSSLContext)

run-batch

reload

Now it will add a tls section to configuration file

Which will look like

<tls>
    <key-stores>
        <key-store name="demoKeyStore">
        <credential-reference clear-text="secret"/>
        <implementation type="JKS"/>
        <file path="server.keystore" relative-to="jboss.server.config.dir"/>
        </key-store>
    </key-stores>
    <key-managers>
        <key-manager name="demoKeyManager" key-store="demoKeyStore">
        <credential-reference clear-text="secret"/>
        </key-manager>
    </key-managers>
    <server-ssl-contexts>
        <server-ssl-context name="demoSSLContext" protocols="TLSv1.2" key-manager="demoKeyManager"/>
    </server-ssl-contexts>
</tls>

Stop wildfly to start making changes to config. /usr/sbin/wildfly-19.0.0.Final stop Stopping wildfly:
Change it to

 <tls>
                <key-stores>
                    <key-store name="demoKeyStore">
                        <credential-reference clear-text="Some1pwD"/>
                        <implementation type="JKS"/>
                        <file path="www.example.com.jks" relative-to="jboss.server.config.dir"/>
                    </key-store>
                </key-stores>
                <key-managers>
                    <key-manager name="demoKeyManager" key-store="demoKeyStore">
                        <credential-reference clear-text="Some1pwD"/>
                    </key-manager>
                </key-managers>
                <server-ssl-contexts>
                    <server-ssl-context name="demoSSLContext" protocols="TLSv1.2" key-manager="demoKeyManager"/>
                </server-ssl-contexts>
            </tls>

/usr/sbin/wildfly-19.0.0.Final start

I am unable to access the wildfly on https://www.example.com while http://www.example.com is working

Answer 1

It's possible to obtain certificates from Let's Encrypt using the WildFly CLI. Take a look at the following blog post that describes how to do this:

https://developer.jboss.org/people/fjuma/blog/2018/08/31/obtaining-certificates-from-lets-encrypt-using-the-wildfly-cli

There's also additional documentation in Section 4.3.6 here:

https://docs.wildfly.org/19/WildFly_Elytron_Security.html#configure-ssltls

Note that to make use of a new certificate without needing to restart the server, you just need to re-initialize your key-manager (eg, /subsystem=elytron/key-manager=httpsKM:init() ).