Creating/Renewing Let’s Encrypt Certificate JBoss WildFly
Common file related certificate gethttpsforfree.com
If you will have the following PEM-encoded files:
- cert.pem: Server certificate only
- chain.pem: Root and intermediate certificates only, Let’s Encrypt chain
- fullchain.pem: Previous cert.pem and chain.pem combined
- privkey.pem: Your certificate's private key (do not share this with anyone)
Download the certbot-auto script
cd /home/utente
sudo wget https://dl.eff.org/certbot-auto
sudo chmod a+x certbot-auto
Now that certbot is hopefully installed, we need to ask it to renew/create certificate.
Stop all services running on port 80.
- certbot-auto renew
- certbot-auto certonly --standalone --standalone-supported-challenges http-01 --agree-tos --rsa-key-size 4096 --renew-by-default --email admin@example.com -d example.com -d www.example.com
At the end, the command show somethings like this:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/***/fullchain.pem. Your cert will
expire on ***. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
NOTE: If you're working in Java then the Java Key Store is the natural place to store private keys. Java applications typically expect to get the keys they need from JKS, and it's easy to access from your own Java apps. JKS is not accessible (without jumping through a few hoops) from outside Java.
PKCS#12 (aka PFX) files, are the format (often called .p12 or .pfx) where you can store a private key and certificates. They are a language-neutral way to store encrypted private keys and certificates, and has been around long enough that it's supported just about everywhere.
We need to get the public and private keys into Wildfly. Instead of (for example Apache, Nginx) that were setup with the public and private keys pointed to separately, Wildfly (generally Java) works off of a keystore (.jks). We need to convert the PEM file into a P12 file that is readable format by the keytool.
Use openssl tools.
openssl pkcs12 -export -in /etc/letsencrypt/live/YOURDOMAIN/fullchain.pem -inkey /etc/letsencrypt/live/YOURDOMAIN/privkey.pem -out KEYSTORENAME.p12 -name KEYSTOREALIAS
YOURDOMAIN replacement is the folder corresponding to the domain that you’re generating the key for, and was present in the listed output from the previous step.
KEYSTORENAME will become part of the generated file name (.p12), and will be used in the WildFly xml part of configuration, as will the KEYSTOREALIAS.
Once you’ve pressed enter, you’ll be prompted (and verified) for a new password. This new password will be used in a moment when we generate the keystore. (called it PREVIOUSPASSWORD and must be the same of other next password)
Generating the keystore java (.jks)
/usr/lib/jvm/jdk1.7.0_80/bin/keytool -importkeystore -deststorepass WILDFLY_NEW_STORE_PASS -destkeypass WILDFLY_NEW_KEY_PASS -destkeystore NEW_KEYSTORE_FILE.jks -srckeystore KEYSTORENAME.p12 -srcstoretype PKCS12 -srcstorepass PREVIOUSPASSWORD -alias KEYSTOREALIAS
sudo cp NEW_KEYSTORE_FILE.jks /opt/wildfly/standalone/configuration/ (jboss server config directory)
WILDFLY_NEW_STORE_PASS is keystore password
WILDFLY_NEW_KEY_PASS is the destination keystore password
NEW_KEYSTORE_FILE is the final .jks name
Find the section of standalone.xml config file and specifically the one you’re setting up
<server-identities>
<ssl>
<keystore path="NEW_KEYSTORE_FILE.jks"
relative-to="jboss.server.config.dir"
keystore-password="WILDFLY_NEW_STORE_PASS"
alias="KEYSTOREALIAS"
key-password="WILDFLY_NEW_KEY_PASS"/>
</ssl>
</server-identities>
Start the application server
service wildfly start
Disable cronjob task that automatic restart wildfly if is down/crash, comment line with # char.
crontab -e
Stop all services running on port 80
service apache2 stop
service wildfly stop
Enter dir where related certs are and make a backup dir of certs or jks
cd dir-new-ssl-cert
Execute:
./certbot-auto renew [--dry-run option to do a test]
Run following command with replacement of placeholders:
openssl pkcs12 -export -in /etc/letsencrypt/live/YOURDOMAIN/fullchain.pem -inkey /etc/letsencrypt/live/YOURDOMAIN/privkey.pem -out NEW_KEYSTORE_FILE.p12 -name KEYSTOREALIAS
/usr/lib/jvm/jdk1.7.0_80/bin/keytool -importkeystore -deststorepass WILDFLY_NEW_STORE_PASS -destkeypass WILDFLY_NEW_KEY_PASS -destkeystore NEW_KEYSTORE_FILE.jks -srckeystore NEW_KEYSTORE_FILE.p12 -srcstoretype PKCS12 -srcstorepass PREVIOUSPASSWORD -alias KEYSTOREALIAS
Install jks on jboss folder (ex: /opt/wildfly/standalone/configuration/...)
(ex: jboss.server.config.dir on file standalone.xml)
sudo cp NEW_KEYSTORE_FILE.jks /opt/wildfly/standalone/configuration/
Restart all services:
service apache2 start
service wildfly start