8 Replies Latest reply on Nov 18, 2018 12:53 PM by Claudio Miranda

    Configuring the Console for TLS access has broken CLI connect!

    Al Koch Newbie

      Hello,

       

      I have just configured standalone.xml to allow access with the Wildfly console using TLS (and http access now times out) using a Let's Encrypt cert. This is working well.  However, I have just discovered that these changes to standalone.xml now cause my use of jboss-cli.sh --commands="connect --controller= to fail.  This is the command which worked prior to the TLS change:

       

      /usr/share/wildfly-10.1.0.Final/bin/jboss-cli.sh --commands="connect --controller=<ipaddress>:<httpport>,/subsystem=datasources/data-source=<datasourcename>:test-connection-in-pool"

       

      After implementing TLS this now results in this error:

      The controller is not available at <ipaddress>:<httpport>: java.net.ConnectException: WFLYPRT0053: Could not connect to http-remoting://<ipaddress>:<httpport>. The connection failed: WFLYPRT0053: Could not connect to http-remoting://<ipaddress>:<httpport>. The connection failed: Connection refused

       

      This make sense now that 1) <httpport> is no longer allowed due to the TLS configuration and 2) the Let's Encrypt cert doesn't work with a raw IP address.

       

      So I changed the command to:

       

      /usr/share/wildfly-10.1.0.Final/bin/jboss-cli.sh --commands="connect --controller=https://<domainnameincert>:<tlsport>,/subsystem=datasources/data-source=<datasourcename>:test-connection-in-pool"

       

      This results in this error:

       

      The controller is not available at <domainnameincert>:<tlsport>: org.jboss.remoting3.UnknownURISchemeException: No connection provider for URI scheme "https" is installed: No connection provider for URI scheme "https" is installed

       

      The message makes it clear I am missing additional configuration.

       

      Can someone tell me what I need to do to clear this error?  Is this an additional change in standalone.xml or a different configuration file?

       

      Thank you in advance.

        • 1. Re: Configuring the Console for TLS access has broken CLI connect!
          Claudio Miranda Expert

          You should change the protocol to remoting+https, as in this example: ./jboss-cli.sh -c --controller=remote+https://localhost:9993

          You can change it in jboss-cli.xml, in the default-controller section or add a custom controller with your specific ip+port address.

          • 2. Re: Configuring the Console for TLS access has broken CLI connect!
            Wolfgang Mayer Master

            This worked in my environment

             

            jboss-cli.sh --connect --controller=https-remoting://{hostname}:9993

            • 3. Re: Configuring the Console for TLS access has broken CLI connect!
              Al Koch Newbie

              Hi Claudio,

               

              I tried your suggestion but still have an error:

              /usr/share/wildfly-10.1.0.Final/bin/jboss-cli.sh --connect --controller=remote+https://<domainnameincert>:<tlsport>

               

              which generates this error:

              Failed to connect to the controller: The controller is not available at <domainnameincert>:<tlsport>: org.jboss.remoting3.UnknownURISchemeException: No connection provider for URI scheme "remote+https" is installed: No connection provider for URI scheme "remote+https" is installed

               

              It seems that even with the changed protocol I'm still getting the same "No connection provider" error.

               

              I also tried Wolfgang's suggestion of

              --connect --controller=https-remoting://<domainnameincert>:<tlsport>

               

              which generates this error:

              Failed to connect to the controller: The controller is not available at <domainnameincert>:<tlsport>: java.net.ConnectException: WFLYPRT0023: Could not connect to https-remoting://<domainnameincert>:<tlsport>. The connection timed out: WFLYPRT0023: Could not connect to https-remoting://<domainnameincert>:<tlsport>. The connection timed out

               

              Can you see what is going wrong?

              Thank you for the help.

              Failed to connect to the controller: The controller is not available at WS.EnhancePI.cloud:30002: java.net.ConnectException: WFLYPRT0023: Could not connect to https-remoting://WS.EnhancePI.cloud:30002. The connection timed out: WFLYPRT0023: Could not connect to https-remoting://WS.EnhancePI.cloud:30002. The connection timed out

              • 4. Re: Configuring the Console for TLS access has broken CLI connect!
                Wolfgang Mayer Master

                It looks like your console is not listening on port 30002. Could you check your server.log. It should report something like

                WFLYSRV0052: Admin console listening on https://…{hostname}:{PortNumber}

                • 5. Re: Configuring the Console for TLS access has broken CLI connect!
                  Claudio Miranda Expert

                  The remote+https protocol is not available in Wildfly 10, then you should use Wolfgang suggestion of https-remoting and check the port number. There is a network utility to help check open ports, netcat, try this command:

                   

                  nc -zv -w2 WS.EnhancePI.cloud 30002

                  • 6. Re: Configuring the Console for TLS access has broken CLI connect!
                    Al Koch Newbie

                    Hello Claudio and Wolfgang,

                     

                    When I run the following I get the error as shown:

                     

                    nc -zv -w2 <domainname> <TLSport>

                    nc: connect to <domainname> port <TLSport> (tcp) timed out: Operation now in progress

                     

                     

                    I then changed over from using the <domainname> to the <ipaddress> and I got success!

                    nc -zv -w2 <ipaddress> <TLSport>

                    Connection to <ipaddress> <TLSport> port [tcp/*] succeeded!

                     

                    So it appears that the server is listening on <TLSport>.  Here are the relevant lines:

                    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">

                        <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:<httpport>}"/>

                        <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:<TLSport>}"/>

                     

                    I thought the problem was being caused by the fact that the Let's Encrypt cert being used does not allow raw IP Addresses so I modified standalone.xml as follows:

                    FROM:

                    <interfaces>

                        <interface name="management">

                            <inet-address value="${jboss.bind.address.management:<ipaddress>}"/>

                        </interface>

                        <interface name="public">

                            <inet-address value="${jboss.bind.address:<ipaddress>}"/>

                        </interface>

                    </interfaces>

                     

                    TO (note the use of the Domain Name)

                    <interfaces>

                        <interface name="management">

                            <inet-address value="${jboss.bind.address.management:<domainname>}"/>

                        </interface>

                        <interface name="public">

                            <inet-address value="${jboss.bind.address:<ipaddress>}"/>

                        </interface>

                    </interfaces>

                     

                    But that causes the server to fail on startup with:

                     

                    2018-11-18 00:19:37,689 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([

                        ("socket-binding-group" => "standard-sockets"),

                        ("socket-binding" => "management-https")

                    ]) - failure description: {"WFLYCTL0180: Services with missing/unavailable dependencies" => undefined}

                    2018-11-18 00:19:37,747 INFO  [org.jboss.as.controller] (Controller Boot Thread) WFLYCTL0183: Service status report

                    WFLYCTL0186:   Services which failed to start:      service jboss.network.management: org.jboss.msc.service.StartException in service jboss.network.management: WFLYSRV0082: failed to resolve interface management

                     

                    2018-11-18 00:19:37,937 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0063: Http management interface is not enabled

                    2018-11-18 00:19:37,938 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0054: Admin console is not enabled

                     

                    I'm at a loss.  Can you see what's wrong?

                     

                    Again, many thanks.

                    • 7. Re: Configuring the Console for TLS access has broken CLI connect!
                      Wolfgang Mayer Master

                      It looks like your reference to the socket-binding is not correct. In your standalone.xml you should point to management-https like

                       

                      <management-interfaces>

                                  <http-interface security-realm="ManagementRealm">

                                      <http-upgrade enabled="true"/>

                                      <socket-binding https="management-https"/>

                                  </http-interface>

                              </management-interfaces>

                      • 8. Re: Configuring the Console for TLS access has broken CLI connect!
                        Claudio Miranda Expert

                        From your test with nc, I understood the domain name cannot be resolved, so when you changed the following line, as the domain name is not resolved, then wildfly will fail to start

                         

                        <inet-address value="${jboss.bind.address.management:<domainname>}"/>

                         

                        As a side note, you can set a new value by using parameters in command line as in

                         

                        ./standalone.sh -Djboss.bind.address.management=my_hostname

                         

                        Try to set the IP address in the DNS resolver service or /etc/hosts if you control the network.