4 Replies Latest reply on Nov 6, 2018 12:48 PM by alkoch

    How do I install a Lets Encrypt certificate on Ubuntu for Wildfly?

    alkoch

      Hello,

       

      I am running Wildfly 10 on Ubuntu 16.4 and need to bring up TLS using a certificate from Let's Encrypt.  I have spent days scouring the net looking for instructions for how to do this.  I have a collection of pages that explain different aspects of this for different combinations of technology such as "Lets Encrypt for Apache" but I can't find anything for my particular needs.

       

      One particular point of confusion is that it appears to me that since, as far as I can tell, there is no plugin yet available for Wildfly I have to use the "generic" certbot webroot mode which "places a validation file at a specific location on your web server".  However, that requires that the server be running on port 80 and Wildfly (under Ubuntu) can't run there (the default port is 8080).  I only need to run on 80 long enough to get the cert, then I can return Wildfly to its normal port.  So, I am stuck at the very first step of getting a Let's Encrypt cert for Wildfly.

       

      I'm sure many people have got Let's Encrypt certs running with Wildfly so can someone point me to the steps to get this done?

       

      Thank you in advance.

        • 1. Re: How do I install a Lets Encrypt certificate on Ubuntu for Wildfly?
          mchoma

          In WF 14 Lets Encrypt is integrated - tracked by [0] documented by [1].

          If you cant migrate to WF14 you can get LetsEncrypt certificate with any LetsEncrypt client and just copy it to WF as any other certificate.

           

          [0] [WFCORE-3396] Provide certificate authority integration - JBoss Issue Tracker

          [1] WildFly Elytron Security

          • 2. Re: How do I install a Lets Encrypt certificate on Ubuntu for Wildfly?
            alkoch

            Hi Martin,

             

            Thanks for your reply; that's very helpful.  I am traveling but as soon as I return I will investigate your suggestions.  t seems like an upgrade to Wildfly 14 would be the best approach but I don't have any feel for what implications that might have for our software.

            • 3. Re: How do I install a Lets Encrypt certificate on Ubuntu for Wildfly?
              alkoch

              Hi Martin,

              I finally have my Wildfly 10 server running under TLS. That is, it's now possible to access the deployed .war running under Wildfly using https://.

               

              However, I can't access the Wildfly server's console under TLS.  I can access the console using http:// but if I use http://<ipaddress>:<consolehttpsport>/console/App.html#home I get the following error dump in the Wildfly console as the server is starting up:

              00:18:29,938 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service jboss.serverManagement.controller.management.http: org.jboss.msc.service.StartException in service jboss.serverManagement.controller.management.http: WFLYSRV0083: Failed to start the http-interface service
                      at org.jboss.as.server.mgmt.UndertowHttpManagementService.start(UndertowHttpManagementService.java:275)
                      at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
                      at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
                      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
                      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
                      at java.lang.Thread.run(Thread.java:748)
              Caused by: java.lang.IllegalArgumentException: WFLYDMHTTP0012: A secure socket has been defined for the HTTP interface, however the referenced security realm is not supplying a SSLContext.
                      at org.jboss.as.domain.http.server.ManagementHttpServer.create(ManagementHttpServer.java:172)
                      at org.jboss.as.server.mgmt.UndertowHttpManagementService.start(UndertowHttpManagementService.java:235)
                      ... 5 more

              To enable TLS for the console I made the following changes to standalone.xml:

              <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
                  <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:<consolehttpsport>}"/>

              and also

              <management-interfaces>
                  <http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
                     <socket-binding https="management-https/>

              As I was saying, I know that TLS is effectively working for the server since I can access my app running under the server using TLS. So it appears I am missing some additional step to get the console to be have TLS access.

              Can you point me to a set of instructions that explains how to do this since I have had to piece together what I know so far from several dated references.

              Thank you.

              console/App.html#home

              • 4. Re: How do I install a Lets Encrypt certificate on Ubuntu for Wildfly?
                alkoch

                Hi Martin,

                Thanks for your prior response; I've marked it as the answer. Also, I moving my following question about console access to a new forum posting.