JBossDeveloper

Well then let's review.

1. It is not a problem of iptables redirection, since even without doing a redirect to port 443 (Wildfly running directly on port 443 with sistemd) continues without http2.

2. It is not the java or wildfly version, since it has been proven that wildfly 10 or higher runs http2 with java 8. (My Wildfly is 10.1.0.Final and Java is 8 update 111)

NOTE: HTTP2 runs on port 8443 (Any browser).

But the problem still remains: Why does http2 not run on port 443 on Ubuntu?

I do nothing but change the 8443 to 443 and http2 stops running ....

Well I do not understand why this occurs but maybe it's the jks (yes I do not give up), so I'm sending the commands I used to create the jks:

(I save all the commands I use to not forget how I did it)

The .pem files were generated by letsencrypt

Openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out cert_and_key.pkcs12 -name example.com -CAfile chain.pem -caname root

The html of my site I replace with example.com

Keytool -importkeystore -srckeystore cert_and_key.pkcs12 -srcstoretype PKCS12 -srcstorepass password -destkeystore letsencrypt.jks -deststorepass password -destkeypass password

The password I replace with the word password.

Are these commands okay or should I use other commands?

And once again ... Thank you for the help

I just completed 1 test with chrome and I think I found a clue to the problem.

Here is the information that the chrome of when I run the site on port 8443:

And here is the information on port 443:

Tomaz Cerar escreveu:

 

What happens if you disable firewalld / iptables completly.

 

and set socket-binding for https to 443 in standalone.xml

than start WildFly with "root" user so it will allow you to bind to port < 1000.

Also disable selinux / app armour AppArmor - Community Help Wiki

something like

sudo invoke-rc.d apparmor kill

sudo update-rc.d -f apparmor remove

should do it.

 

Does it work this way?

If this works than problem has to do with either AppArmor or iptables config.

Hi Tomaz.

Thank you so much for continuing to help me.

But unfortunately those commands did not make http2 work.

Martin Choma escreveu:

 

To run http2 there must be TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [1] negotiated. Question now is, why is something else negotiated when you access 443. What happens when you redirect 444 -> 8443. I mean, does chrome handle reserved port 443 specially.

 

[1] RFC 7540 - Hypertext Transfer Protocol Version 2 (HTTP/2)

Hi Martin, Thank you for your help

I just redirected from port 8443 to port 443 and http2 works!

If I make the direct connection on port 443 http2 does not work!

This happens in firefox and chrome (Last Version).

Here is an image of the certificates by chrome:

Port 8443:

Port 443:

Hello everyone!

First I would like to thank from the bottom of my heart for the help I had from the entire Wildfly community to solve this problem. You guys are awesome!

I just found the solution.

The problem is in my Windows 10 Anti-Virus (More specifically BitDefender 2017).

All the tests I did was on a Windows 10 operating system, by the time I switched to Linux (I have dual boot) the site finally got http2

So I saw that the name of the issuer of the certificate that was being used was: Bitdefender Personal CA.Net-Defender.

It was at this point that I realized that my certificate created by letsencrypt was being overwritten by another bitdefender certificate. (WHY?)

SOLUTION: In BitDefender enter the module settings, and go to the internet module and disable the option to verify SSL certificates. Restart your browser and you're done.

So beware when testing a website using an antivirus.

My thanks to everyone who helped me to get this solution.

Tomaz Cerar escreveu:

 

Rodrigo Darti da Costa wrote:

 

The problem is in my Windows 10 Anti-Virus (More specifically BitDefender 2017).

 

All the tests I did was on a Windows 10 operating system, by the time I switched to Linux (I have dual boot) the site finally got http2

So I saw that the name of the issuer of the certificate that was being used was: Bitdefender Personal CA.Net-Defender.

It was at this point that I realized that my certificate created by letsencrypt was being overwritten by another bitdefender certificate. (WHY?)

Auch! that is MITM attack waiting to happen. see https://www.reddit.com/r/AskNetsec/comments/2wt5fz/bitdefender_total_security_hijacking_browsers_ssl/

or tls - Bitdefender Antivirus SSL Cert substitution - Information Security Stack Exchange

for some details on why this is extremely bad.

 

I would remove bitdefender just for this reason alone.

 

Anyhow, good catch finding the culprit.

Thx for the Help.

I will just use Linux from now on.