11 Replies Latest reply on Feb 26, 2019 9:51 PM by bret.james

Configuring the Console for TLS access has broken CLI connect!

alkoch Nov 15, 2018 11:32 AM

Hello,

I have just configured standalone.xml to allow access with the Wildfly console using TLS (and http access now times out) using a Let's Encrypt cert. This is working well. However, I have just discovered that these changes to standalone.xml now cause my use of jboss-cli.sh --commands="connect --controller= to fail. This is the command which worked prior to the TLS change:

/usr/share/wildfly-10.1.0.Final/bin/jboss-cli.sh --commands="connect --controller=<ipaddress>:<httpport>,/subsystem=datasources/data-source=<datasourcename>:test-connection-in-pool"

After implementing TLS this now results in this error:

The controller is not available at <ipaddress>:<httpport>: java.net.ConnectException: WFLYPRT0053: Could not connect to http-remoting://<ipaddress>:<httpport>. The connection failed: WFLYPRT0053: Could not connect to http-remoting://<ipaddress>:<httpport>. The connection failed: Connection refused

This make sense now that 1) <httpport> is no longer allowed due to the TLS configuration and 2) the Let's Encrypt cert doesn't work with a raw IP address.

So I changed the command to:

/usr/share/wildfly-10.1.0.Final/bin/jboss-cli.sh --commands="connect --controller=https://<domainnameincert>:<tlsport>,/subsystem=datasources/data-source=<datasourcename>:test-connection-in-pool"

This results in this error:

The controller is not available at <domainnameincert>:<tlsport>: org.jboss.remoting3.UnknownURISchemeException: No connection provider for URI scheme "https" is installed: No connection provider for URI scheme "https" is installed

The message makes it clear I am missing additional configuration.

Can someone tell me what I need to do to clear this error? Is this an additional change in standalone.xml or a different configuration file?

Thank you in advance.

1. Re: Configuring the Console for TLS access has broken CLI connect!

claudio4j Nov 16, 2018 6:01 AM (in response to alkoch)

You should change the protocol to remoting+https, as in this example: ./jboss-cli.sh -c --controller=remote+https://localhost:9993

You can change it in jboss-cli.xml, in the default-controller section or add a custom controller with your specific ip+port address.
Actions
2. Re: Configuring the Console for TLS access has broken CLI connect!

mayerw01 Nov 16, 2018 6:02 AM (in response to alkoch)

This worked in my environment

jboss-cli.sh --connect --controller=https-remoting://{hostname}:9993
Actions
3. Re: Configuring the Console for TLS access has broken CLI connect!

alkoch Nov 16, 2018 8:03 PM (in response to claudio4j)

Hi Claudio,

I tried your suggestion but still have an error:
/usr/share/wildfly-10.1.0.Final/bin/jboss-cli.sh --connect --controller=remote+https://<domainnameincert>:<tlsport>

which generates this error:
Failed to connect to the controller: The controller is not available at <domainnameincert>:<tlsport>: org.jboss.remoting3.UnknownURISchemeException: No connection provider for URI scheme "remote+https" is installed: No connection provider for URI scheme "remote+https" is installed

It seems that even with the changed protocol I'm still getting the same "No connection provider" error.

I also tried Wolfgang's suggestion of
--connect --controller=https-remoting://<domainnameincert>:<tlsport>

which generates this error:
Failed to connect to the controller: The controller is not available at <domainnameincert>:<tlsport>: java.net.ConnectException: WFLYPRT0023: Could not connect to https-remoting://<domainnameincert>:<tlsport>. The connection timed out: WFLYPRT0023: Could not connect to https-remoting://<domainnameincert>:<tlsport>. The connection timed out

Can you see what is going wrong?

Thank you for the help.
Failed to connect to the controller: The controller is not available at WS.EnhancePI.cloud:30002: java.net.ConnectException: WFLYPRT0023: Could not connect to https-remoting://WS.EnhancePI.cloud:30002. The connection timed out: WFLYPRT0023: Could not connect to https-remoting://WS.EnhancePI.cloud:30002. The connection timed out
Actions
4. Re: Configuring the Console for TLS access has broken CLI connect!

mayerw01 Nov 17, 2018 4:37 AM (in response to alkoch)

It looks like your console is not listening on port 30002. Could you check your server.log. It should report something like
WFLYSRV0052: Admin console listening on https://…{hostname}:{PortNumber}
Actions
5. Re: Configuring the Console for TLS access has broken CLI connect!

claudio4j Nov 17, 2018 8:46 AM (in response to alkoch)

The remote+https protocol is not available in Wildfly 10, then you should use Wolfgang suggestion of https-remoting and check the port number. There is a network utility to help check open ports, netcat, try this command:

nc -zv -w2 WS.EnhancePI.cloud 30002
Actions
6. Re: Configuring the Console for TLS access has broken CLI connect!

alkoch Nov 17, 2018 7:42 PM (in response to claudio4j)

Hello Claudio and Wolfgang,

When I run the following I get the error as shown:

nc -zv -w2 <domainname> <TLSport>
nc: connect to <domainname> port <TLSport> (tcp) timed out: Operation now in progress

I then changed over from using the <domainname> to the <ipaddress> and I got success!
nc -zv -w2 <ipaddress> <TLSport>
Connection to <ipaddress> <TLSport> port [tcp/*] succeeded!

So it appears that the server is listening on <TLSport>. Here are the relevant lines:
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
    <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:<httpport>}"/>
    <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:<TLSport>}"/>

I thought the problem was being caused by the fact that the Let's Encrypt cert being used does not allow raw IP Addresses so I modified standalone.xml as follows:
FROM:
<interfaces>
    <interface name="management">
        <inet-address value="${jboss.bind.address.management:<ipaddress>}"/>
    </interface>
    <interface name="public">
        <inet-address value="${jboss.bind.address:<ipaddress>}"/>
    </interface>
</interfaces>

TO (note the use of the Domain Name)
<interfaces>
    <interface name="management">
        <inet-address value="${jboss.bind.address.management:<domainname>}"/>
    </interface>
    <interface name="public">
        <inet-address value="${jboss.bind.address:<ipaddress>}"/>
    </interface>
</interfaces>

But that causes the server to fail on startup with:

2018-11-18 00:19:37,689 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("socket-binding-group" => "standard-sockets"),
    ("socket-binding" => "management-https")
]) - failure description: {"WFLYCTL0180: Services with missing/unavailable dependencies" => undefined}
2018-11-18 00:19:37,747 INFO [org.jboss.as.controller] (Controller Boot Thread) WFLYCTL0183: Service status report
WFLYCTL0186:   Services which failed to start:      service jboss.network.management: org.jboss.msc.service.StartException in service jboss.network.management: WFLYSRV0082: failed to resolve interface management

2018-11-18 00:19:37,937 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0063: Http management interface is not enabled
2018-11-18 00:19:37,938 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0054: Admin console is not enabled

I'm at a loss. Can you see what's wrong?

Again, many thanks.
Actions
7. Re: Configuring the Console for TLS access has broken CLI connect!

mayerw01 Nov 18, 2018 4:08 AM (in response to alkoch)

It looks like your reference to the socket-binding is not correct. In your standalone.xml you should point to management-https like

<management-interfaces>
            <http-interface security-realm="ManagementRealm">
                <http-upgrade enabled="true"/>
                <socket-binding https="management-https"/>
            </http-interface>
        </management-interfaces>
Actions
8. Re: Configuring the Console for TLS access has broken CLI connect!

claudio4j Nov 18, 2018 12:53 PM (in response to mayerw01)

From your test with nc, I understood the domain name cannot be resolved, so when you changed the following line, as the domain name is not resolved, then wildfly will fail to start

<inet-address value="${jboss.bind.address.management:<domainname>}"/>

As a side note, you can set a new value by using parameters in command line as in

./standalone.sh -Djboss.bind.address.management=my_hostname

Try to set the IP address in the DNS resolver service or /etc/hosts if you control the network.
Actions
9. Re: Configuring the Console for TLS access has broken CLI connect!

chand1111 Feb 12, 2019 12:02 PM (in response to alkoch)

Al Koch,
Has this issue been resolved? If yes, what was the solution? Please share. I am facing same issue and lost.
Actions
10. Re: Configuring the Console for TLS access has broken CLI connect!

alkoch Feb 26, 2019 1:07 PM (in response to chand1111)

Hi Chand,

Sorry for the delay in responding. I have not been able to make this work and have decided that I'm going to limp along without a fix until we can upgrade to v14. I hope that this will work under that version. If not then I'll return to trying to fix this. If you happen to fix this yourself please post your fix there! Thanks.
Actions
11. Re: Configuring the Console for TLS access has broken CLI connect!

bret.james Feb 26, 2019 9:51 PM (in response to alkoch)

I am also looking the answer of same question
Actions

Go to original post