This is an old revision of the document!
Let's Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).
https://letsencrypt.org/how-it-works/ http://knowles.co.za/creating-renewing-a-lets-encrypt-certificate-for-apache-and-wildfly/
WildFly is not directly supported, so we have to use certbot's standalone mode. Install certbot (see https://certbot.eff.org/#ubuntuxenial-other)
Install certbot:
sudo apt update sudo apt install software-properties-common sudo add-apt-repository ppa:certbot/certbot sudo apt update sudo apt install certbot sudo mkdir /opt/letsencrypt; cd /opt/letsencrypt
Then use interactive certificate creation (make sure port 80 or 443 are available!):
# sudo systemctl stop wildfly sudo certbot certonly --standalone -d YOURDOMAIN
Then certificates reside in /etc/letsencrypt/live/YOURDOMAIN
document backing up of certificates
Now we have to create a java keystore (.jks) for use with WildFly. Adapt the variables to match your use case:
YOURDOMAIN=example.com YOURKEYSTORENAME=k KEYSTOREALIAS=a OPENSSL_PASS=p WILDFLY_NEW_STORE_PASS=p WILDLFY_NEW_KEY_PASS=p NEW_KEYSTORE_FILE=f sudo openssl pkcs12 -export -in /etc/letsencrypt/live/${YOURDOMAIN}/fullchain.pem -inkey /etc/letsencrypt/live/${YOURDOMAIN}/privkey.pem -out ${YOURKEYSTORENAME}.p12 -name ${KEYSTOREALIAS} -passout pass:${OPENSSL_PASS} sudo keytool -importkeystore -deststorepass ${WILDFLY_NEW_STORE_PASS} -destkeypass ${WILDLFY_NEW_KEY_PASS} -destkeystore ${NEW_KEYSTORE_FILE}.jks -deststoretype PKCS12 -srckeystore ${YOURKEYSTORENAME}.p12 -srcstoretype PKCS12 -srcstorepass ${OPENSSL_PASS} -alias ${KEYSTOREALIAS}
Copy the keystore to WildFly:
sudo cp ${NEW_KEYSTORE_FILE}.jks /opt/wildfly/standalone/configuration sudo chown wildfly:nogroup /opt/wildfly/standalone/configuration/${NEW_KEYSTORE_FILE}.jks
Update the WildFly configuration in /opt/wildfly/standalone/configuration/standalone.xml
in section server → management:
<security-realm name="SslRealm"> <server-identities> <ssl> <keystore path="NEW_KEYSTORE_FILE.jks" relative-to="jboss.server.config.dir" keystore-password="WILDFLY_NEW_STORE_PASS" alias="KEYSTOREALIAS" key-password="WILDFLY_NEW_KEY_PASS"/> </ssl> </server-identities> </security-realm>
Since the certificates are not valid for long (3 months) we need regular updates. Check the validity of your certificates:
sudo certbot certificates
In case WildFly uses port 80/443 you have to shut it down now.
Then renew the certificate (updates /etc/letsencrypt/live/${YOURDOMAIN}/fullchain.pem
):
sudo certbot renew
Then repeat the steps for creating a new java keystore.
as of 2018-08 shutting down may not be necessary anymore, see certbot --help standalone
and the option --tls-sni-01-port
. See also https://github.com/certbot/certbot/issues/2697