Differences

This shows you the differences between two versions of the page.

--- ssl_tsl_certificates [2018/11/09 12:56]
mstraub created
+++ ssl_tsl_certificates [2018/11/09 13:41] (current)
mstraub [Workflow when using WildFly]
@@ Line 1: / Line 1: @@
 ====== SSL/TSL Certificates ======
+When using HTTPS on your server you should most probably also provide a **valid** [[https://de.wikipedia.org/wiki/Transport_Layer_Security|TLS]] (aka SSL) certificate. Otherwise browsers tend to block access to your page or at least give a big warning that the page is not secure.
 ===== Let's Encrypt =====
@@ Line 18: / Line 20: @@
 <code bash>
-sudo apt-get update
+sudo apt update
-sudo apt-get install software-properties-common
+sudo apt install software-properties-common
 sudo add-apt-repository ppa:certbot/certbot
-sudo apt-get update
+sudo apt update
-sudo apt-get install certbot
+sudo apt install certbot
 sudo mkdir /opt/letsencrypt; cd /opt/letsencrypt
@@ Line 40: / Line 42: @@
 == Create Java Keystore ==
-Now we have to create a java keystore (.jks) for use with WildFly:
+Now we have to create a java keystore (.jks) for use with WildFly. Adapt the variables to match your use case, and note, that you should delete the lines containing passwords from your ''~/.bash_history'' (or equivalent):
 <code bash>
-YOURDOMAIN=a.ait.ac.at
+YOURDOMAIN=example.com
-YOURKEYSTORENAME=b
+YOURKEYSTORENAME=k
-KEYSTOREALIAS=c
+KEYSTOREALIAS=a
 OPENSSL_PASS=p
 WILDFLY_NEW_STORE_PASS=p
@@ Line 52: / Line 54: @@
 sudo openssl pkcs12 -export -in /etc/letsencrypt/live/${YOURDOMAIN}/fullchain.pem -inkey /etc/letsencrypt/live/${YOURDOMAIN}/privkey.pem -out ${YOURKEYSTORENAME}.p12 -name ${KEYSTOREALIAS} -passout pass:${OPENSSL_PASS}
 sudo keytool -importkeystore -deststorepass ${WILDFLY_NEW_STORE_PASS} -destkeypass ${WILDLFY_NEW_KEY_PASS} -destkeystore ${NEW_KEYSTORE_FILE}.jks -deststoretype PKCS12 -srckeystore ${YOURKEYSTORENAME}.p12 -srcstoretype PKCS12 -srcstorepass ${OPENSSL_PASS} -alias ${KEYSTOREALIAS}
 </code>
@@ Line 89: / Line 90: @@
 </code>
-In case WildFly uses port 80/443 you have to shut it down now.
+In case WildFly uses port 80/443 you have to shut it down now. Unfortunately you can not specify a different port for the validation, see ''%%certbot --help standalone%%'' (especially the option ''%%--tls-sni-01-port%%''), and https://github.com/certbot/certbot/issues/2697.
 Then renew the certificate (updates ''/etc/letsencrypt/live/${YOURDOMAIN}/fullchain.pem''):
@@ Line 98: / Line 99: @@
 Then repeat the steps for creating a new java keystore.
-FIXME as of 2018-08 shutting down may not be necessary anymore, see ''certbot --help standalone'' and the option ''--tls-sni-01-port''. See also https://github.com/certbot/certbot/issues/2697

Small heaps of code

User Tools

Site Tools

Differences

Page Tools