SSL

3 min read

Please make sure that you have the following PEM-encoded files:

  • cert.pem: Server certificate only
  • chain.pem: Root and intermediate certificates only, Let’s Encrypt chain
  • fullchain.pem: Previous cert.pem and chain.pem combined
  • privkey.pem: Your certificate's private key

Download the certbot-auto script

Change directory to your home directory

cd /home/orestis

Download certbot-auto from the internet as a superuser

sudo wget https://dl.eff.org/certbot-auto

Change mode for full-write access to this directory

sudo chmod a+x certbot-auto

The certbot is hopefully installed now, and we need to ask it to renew or create the certificate.

Stop all background services that are already running on port 80.

  • certbot-auto renew

EXAMPLE:

certbot-auto certonly --standalone --standalone-supported-challenges http-01 --agree-tos --rsa-key-size 4096 --renew-by-default --email admin@example.com -d example.com -d www.example.com

REAL EXAMPLE:

certbot-auto certonly --standalone --standalone-supported-challenges http-01 --agree-tos --rsa-key-size 4096 --renew-by-default --email opantazos@gmail.com -d opendevops.dev -d www.opendevops.dev

The command line argument shows something like this in the end:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/
**/fullchain.pem. Your cert will
expire on **. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew all of your certificates, run
"certbot-auto renew"

- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

NOTE:

If you are working in Java environment, then the Java key store is the official place to store your private keys. Java desktop or web applications typically expect to get the keys that they need from JKS, and it is easy to access from your own Java applications. JKS is not accessible from outside Java environment.

PKCS#12 files (PFX) are the file format that is often called .p12 or .pfx where you can store a private key and certificates.

We nede to get the public and private keys into JBoss WildFly application server. For example, Apache, Nginx servers that were setup with the public and private keys pointed to separately, instead of, generally in Java, WildFly works off of a keystore (.jks). We need to convert the PEM file into a P12 file that is readable format by Java keytool.

Use OpenSSL security toolkit:

Example:

openssl pkcs12 -export -in /etc/letsencrypt/live/YOURDOMAIN/fullchain.pem -inkey /etc/letsencrypt/live/YOURDOMAIN/privkey.pem -out KEYSTORENAME.p12 -name KEYSTOREALIAS

Real Example:

YOURDOMAIN replacement is the folder corresponding to the domain object that you are generating the key for, and was present in the listed console output from the previous step.

KEYSTORENAME will become part of the generated file name (.p12), and will be used in the JBoss WildFly XML part of the configuration, as the KEYSTOREALIAS.

When you have pressed ENTER shortcut, you will be prompted and verified for a new password credential. This new password will be used in a moment, when we generate the keystore.

Generating Java keystore (.jks)

Example:

/usr/lib/jvm/jdk1.7.0_80/bin/keytool -importkeystore -deststorepass WILDFLY_NEW_STORE_PASS -destkeypass WILDFLY_NEW_KEY_PASS -destkeystore NEW_KEYSTORE_FILE.jks -srckeystore KEYSTORENAME.p12 -srcstoretype PKCS12 -srcstorepass PREVIOUSPASSWORD -alias KEYSTOREALIAS

Real Example:

/usr/lib/jvm/jdk1.8.0_80/bin/keytool -importkeystore -deststorepass athens -destkeypass athens -destkeystore mycert.jks -srckeystore mycert.p12 -srcstoretype PKCS12 -srcstorepass athens -alias mycert

Go to JBoss WildFly server config directory as superuser and copy the file mycert.jks:

sudo cp mycert.jks /opt/wildfly/standalone/configuration/

WILDFLY_NEW_STORE_PASS: It is keystore password credential
WILDFLY_NEW_KEY_PASS: It is the destination keystore password
NEW_KEYSTORE_FILE: It is the final .jks file name

Go to standalone.xml configuration file, follow and transfer the rule cases:

Example:

<server-identities>
   <ssl>
      <keystore path="NEW_KEYSTORE_FILE.jks" 
                relative-to="jboss.server.config.dir" 
                keystore-password="WILDFLY_NEW_STORE_PASS" 
                alias="KEYSTOREALIAS" 
                key-password="WILDFLY_NEW_KEY_PASS"/>
   </ssl>
</server-identities>

Real Example:

<server-identities>
   <ssl>
      <keystore path="mycert.jks" 
                relative-to="jboss.server.config.dir" 
                keystore-password="athens" 
                alias="mycert" 
                key-password="athens"/>
   </ssl>
</server-identities>

Last but not least, start the WildFly application server on run mode.

.\standalone.sh -b 0.0.0.0
Orestis Pantazos

Orestis Pantazos

DevOps Engineer