9 Replies Latest reply on May 11, 2018 11:49 AM by honza889

Restarting the HTTP socket without restarting the Wildfly service.

gir489 Oct 11, 2017 10:31 AM

We are looking at migrating from Norton security certificates to LetsEncrypt, which gives out free SSL certificates, but they expire in 90 days...

This presents a problem to us. We don't want to have to redeploy the site every 90 days, we want it to contiguously run, and like we're doing with the EAR, we just want to call /redeploy on it, and have it continue operating.

However, we haven't found a way to reset the HTTP sockets like we can with the EAR. I found this feature request: [WFLY-4321] restart of http connector without restarting whole web container - JBoss Issue Tracker

In it, the developer on the last page recommends to run this command: /subsystem=undertow/server=default-server/https-listener=https:remove() {allow-resource-service-restart=true}.

When I run it the first time, it says {"outcome" => "success"}, and in the Wildfly console it says:

10:28:16,106 INFO [undertow] WFLYUT0008: Undertow HTTPS listener https suspending

10:28:16,106 INFO [undertow] WFLYUT0007: Undertow HTTPS listener https stopped, was bound to 0.0.0.0:443.

But then it never comes back... It stops listening.

Eventually, Wildfly will barf and spits out this error:

10:30:00,235 ERROR [EventCache] Problem running the scavenger in the EventCache: java.lang.IllegalStateException: WFLYEE0043: Component is stopped

at org.jboss.as.ee.component.BasicComponent.waitForComponentStart(BasicComponent.java:110)

at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:194)

at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185)

I then go to reboot the server, but the HTTPS listener didn't work. I noticed it was rewriting my standalone.xml. I have to revert the standalone.xml to HEAD to get it to work again.

1. Re: Restarting the HTTP socket without restarting the Wildfly service.

ctomc Oct 11, 2017 11:14 AM (in response to gir489)

well, you are removing https listener, which is what https:remove() operation does.
as such it is also removed from config.

if you go the remove way, than you also need to re-add it

/subsystem=undertow/server=default-server/https-listener=https:add(param=value, parm2=value) {allow-resource-service-restart=true}.
just make sure your :add operations has all the configuration options you need.

Also I think having stop/start/restart operation on listeners would make for good addition, could you create jira for adding this
https://issues.jboss.org/browse/WFLY and make sure you select component web (undertow)
Actions
2. Re: Restarting the HTTP socket without restarting the Wildfly service.

gir489 Oct 11, 2017 11:56 AM (in response to ctomc)

Thanks, Tomaz.

After issuing the re-add command, the Wildfly server then basically just did a full redeploy. At this point, we'd just have to look in to attaching new SSL keys with our maintenance cycle, until the user story is (hopefully) accepted and completed.

I have opened a JIRA ticket as per your instructions: [UNDERTOW-1194] Add stop/start/restart operation to listeners. - JBoss Issue Tracker

Thanks.
Actions
3. Re: Restarting the HTTP socket without restarting the Wildfly service.

walkerca Oct 11, 2017 3:58 PM (in response to gir489)

I just tried swapping the keystore-path with jboss-cli. Maybe this will work where every 90 days you prepare a new keystore file with the new LetsEncrypt cert and use the cli to update the attribute?

I did get "reload-required" so I'm not sure if this is too heavyweight for you.

> cd core-service/management/security-realm/ApplicationRealm/server-identity/ssl
> :write-attribute(name=keystore-path,value=/newkeystore.jks)
Actions
4. Re: Restarting the HTTP socket without restarting the Wildfly service.

mchoma Oct 12, 2017 7:57 AM (in response to gir489)

Reloading keystore without need to restart of https should be avalaible in wildfly 11 CR1 in new Elytron security solution:

You can reload a keystore configured in wildfly from the management CLI. This is useful in cases where you have made changes to certificates referenced by a keystore.
To reload a keystore.
/subsystem=elytron/key-store=httpsKS:load
Actions
5. Re: Restarting the HTTP socket without restarting the Wildfly service.

honza889 Oct 12, 2017 11:17 AM (in response to gir489)
Reloading key/certificate used for HTTPS is available in WildFly from 11.0.0.Beta1 - just need use Elytron for HTTPS and reloading key-store AND reinitializing key-manager is sufficient to switch it:

/subsystem=elytron/key-store=httpsKS:load()
/subsystem=elytron/key-managers=httpsKM:init()
Actions
6. Re: Restarting the HTTP socket without restarting the Wildfly service.

gir489 Oct 12, 2017 4:12 PM (in response to honza889)

Interesting. We're still waiting for 11 to fully release, as we're not willing to use a product that's still in development. But that's a good "for the near future" thing to consider.
Actions
7. Re: Restarting the HTTP socket without restarting the Wildfly service.

mchoma Oct 16, 2017 1:41 AM (in response to honza889)

Adding Jan's blog on the topic for reference

SSL key switch without server restart · Honza
Actions
8. Re: Restarting the HTTP socket without restarting the Wildfly service.

gir489 May 11, 2018 11:47 AM (in response to mchoma)

This post doesn't exist anymore. Do you have a copy?
Actions
9. Re: Restarting the HTTP socket without restarting the Wildfly service.

honza889 May 11, 2018 11:49 AM (in response to gir489)

Sorry, the URL of the blog has changed: SSL key switch without server restart · Honza
Actions

Go to original post