2 Replies Latest reply on Aug 27, 2018 9:17 AM by lazyeye

    Wildfly 10 - New certificate imported to keystore not reflecting on website

    lazyeye
    lazyeye Aug 26, 2018 12:06 PM

      Hi

       

      I’m having a problem with our Wildfly 10 web application server. When importing our new certificate into our keystore file using the Java keytool, the keytool shows that the new certificate is in the keystore, but the website that is using the keystore still reflects our previous certificate. I've been struggling with this issue for the last 3 days and the current certificate expires in 4 days time. I’ve been trying endlessly to figure out how it is caching the old certificate. I’ve even created a brand new keystore file with new private key and self signed certificate, which is correctly reflecting in the keystore file, but on the web frontend it is still reflecting the old certificate. I’ve also renamed the keystore file, while not pointing to the new keystore file in the standalone-full.xml config file. This resulted in Wildfly not starting up and complaining about the keystore file that doesnt exist. From this I could gather that Wildfly is definitely looking at the right keystore file, but it’s as if it doesnt look at the certificates inside the file. I’ve cleared out the “tmp” and “data” folders as well, as I’ve read that these folders are used to cache content within Wildfly. This did nothing for the certificate issue however.

       

      Anyone that have any ideas what could be causing this or how to fix it?

       

      Thank you in advance.

       

      Frikkie

        • 1. Re: Wildfly 10 - New certificate imported to keystore not reflecting on website
          mchoma
          mchoma Aug 27, 2018 5:20 AM (in response to lazyeye)

          Certificate should refresh after restart of server. But as I understand you are restarting the server. WF does not cache certificate. Apparently you are not changing file on proper place. Are you changing proper security realm referenced by undertow subsystem? When in domain mode you should change keystore file on all servers. Isn't there load balancer providing certificate?

            • Actions
          • 2. Re: Wildfly 10 - New certificate imported to keystore not reflecting on website
            lazyeye
            lazyeye Aug 27, 2018 9:17 AM (in response to mchoma)

            Hi Martin

             

            Your response was very helpful in a few different areas. It stopped me pursuing the caching path and made me look at some other possible causes. And even though we dont have load balancers in our environment, this statement of yours did make me think that the problem might be somewhere on our network on another device. It turns out that we have a web application firewall that still had the old certificate loaded and was providing it to the client. After updating this, the problem went away.

             

            Thanks again for the quick response, really appreciated.

              • Actions