4 Replies Latest reply on Jan 10, 2019 2:33 PM by alkoch

Is there a way to avoid a Wildfly 10 restart after renewing a LetsEncrypt certificate?

alkoch Jan 7, 2019 3:08 PM

Hello,

I have Wildfly 10 successfully running with a LetsEncrypt certificate. I just renewed the certificate and it appears that I have to restart Wildfly for the new certificate to be recognized. To test this I accessed the server after having renewed the certificate (and converted to .jks format) and Firefox showed the original/soon to expire certificate Expiry date. I restarted the server and then Firefox showed the new certificate Expiry date so it appears a restart is necessary. For a production server this is obviously a real problem.

1) Is there some way to get the new certificate into service without a restart?

2) It is my understanding that Wildfly 14 has LetsEncrypt certificate "support" built in. I'm not sure what that actually means but does v14 require a restart after renewing a LetsEncrypt certificate also?

Thank you in advance.

1. Re: Is there a way to avoid a Wildfly 10 restart after renewing a LetsEncrypt certificate?

msystems Jan 7, 2019 3:30 PM (in response to alkoch)

I don't know about WildFly 10, but in WildFly >= 14 it works with:

jboss-cli.sh --connect --commands=/subsystem=elytron/key-store=<name of key store>:load,/subsystem=elytron/key-manager=<name of key manager>:init

And no restart of WildFly is needed.
1 of 1 people found this helpful
Actions
2. Re: Is there a way to avoid a Wildfly 10 restart after renewing a LetsEncrypt certificate?

alkoch Jan 9, 2019 10:58 AM (in response to msystems)

Hi Kenneth,

Thanks for letting me know that v14 does not require a reboot. We have an upgrade to v14 later this year but I'd sure like to find a way to avoid rebooting with v10 if I can. Does anyone else have any ideas about v10?
Actions
3. Re: Is there a way to avoid a Wildfly 10 restart after renewing a LetsEncrypt certificate?

fjuma Jan 9, 2019 1:53 PM (in response to alkoch)

For WildFly 10, it looks like a restart will be needed.

From WildFly 11+, it is possible to use the Elytron subsystem key-store load operation to switch to using the new certificate without restarting the server. Details on this can be found here.

For details on how to get started with Let's Encrypt with WildFly 14+, see https://developer.jboss.org/people/fjuma/blog/2018/08/31/obtaining-certificates-from-lets-encrypt-using-the-wildfly-cli. This post also gives an example of how certificate renewal can be done without needing to restart WildFly.
Actions
4. Re: Is there a way to avoid a Wildfly 10 restart after renewing a LetsEncrypt certificate?

alkoch Jan 10, 2019 2:33 PM (in response to fjuma)

Hi Farah, Thank you for the very helpful links - I'll start following your blog!
Actions

Go to original post