These instructions were written for Ubuntu 16, but they should translate quite easily to other flavours of *nix, relatively easily for macOS, and with only small tweaks for Windows. Probably.
Contents
Apache
Renewing the Apache portion of the certificate is fairly easy – Let’s Encrypt’s certbot can handle that for you. In my case, I’d not renewed since the certbot was brought in, so a bit of installation was required.
Installing certbot
I have some locale settings issues on my box. I’m not certain if that’s because I mucked something up or there’s some weird defaults, but I need to manually set the locale before a lot of things. Yes, I should really stick it into a startup script, but I tend to forget about it the moment I’m done with it. Perhaps after this article.
In any case, to set some locale settings so that install will work, enter
|
1 |
export LC_ALL=C |
To install the certbot from scratch, I followed the instructions here. I’ll repeat the easy parts below, and include parts on renewal, but you should read through that article for a more in-depth treatment and your initial certificate generation. Note that some of these commands require sudo access, so it might be easier to paste them in one at a time – at least for the first one, so that you can type in your password. I didn’t do that, and it was relatively exciting afterwards.
Not bad, just relatively exciting. Anyways, to install certbot:
|
1 2 3 4 |
sudo mkdir /opt/certbot cd /opt/certbot sudo wget https://dl.eff.org/certbot-auto sudo chmod a+x certbot-auto |
Now that certbot is (hopefully) installed, we need to ask it to renew our certificate. If you’re setting up an initial certificate, see this link again. To renew the certificate, just issue a command like
|
1 |
/opt/certbot/certbot-auto renew |
Many many status messages will scroll down, finishing with something like (for an Apache setup)
|
1 2 3 4 |
------------------------------------------------------------------------------- new certificate deployed with reload of apache server; fullchain is /etc/letsencrypt/live/YOURDOMAIN/fullchain.pem ------------------------------------------------------------------------------- |
With YOURDOMAIN replaced with your actual domain, obviously.
WildFly
Next up, we need to get the public and private keys into Wildfly. Apache was setup with the public and private keys pointed to separately, but Wildfly (well, Java) works off of a keystore. What we’re going to do is generate a new keystore that contains your new private and public keys, as read off of the /etc/letsencrypt/live/YOURDOMAIN/fullchain.pem file that certbot generated earlier.
Converting the PEM file
To do this, we need to convert the PEM file into a P12 file that is readable by the keytool. This is accomplished by issuing the OpenSSL command, after making suitable replacements.
|
1 |
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/YOURDOMAIN/fullchain.pem -inkey /etc/letsencrypt/live/YOURDOMAIN/privkey.pem -out YOURKEYSTORENAME.p12 -name KEYSTOREALIAS |
The YOURDOMAIN replacement is the folder corresponding to the domain that you’re generating the key for, and was present in the listed output from the previous step. The KEYSTORENAME will become part of the generated file name, and will be used in the WildFly configuration, as will the KEYSTOREALIAS. These can be anything of your choice. Once you’ve pressed enter, you’ll be prompted (and verified) for a new password. This new password will be used in a moment when we generate the keystore.
You may not need the sudo part of the command, but you more likely will as people shouldn’t generally have read permissions to the various keys.
Generating the keystore
Once the certificate has been converted, we need to produce the keystore. This again is a one-liner with some substitutions:
|
1 |
keytool -importkeystore -deststorepass WILDFLY_NEW_STORE_PASS -destkeypass WILDLFY_NEW_KEY_PASS -destkeystore NEW_KEYSTORE_FILE.jks -srckeystore YOURKEYSTORENAME.p12 -srcstoretype PKCS12 -srcstorepass PREVIOUSPASSWORD -alias KEYSTOREALIAS |
There are a couple of substitutions here – new ones are a password for the keystore, a password for the key within the keystore, and the name of the resulting keystore. The other substitutions are either from the previous step, or from the password created as part of the previous step.
This will result in a keystore with your chosen name being generated in your current folder. You can copy this to your WildFly’s configuration folder, e.g.
|
1 |
sudo cp NEW_KEYSTORE_FILE.jks /opt/wildfly/standalone/configuration/ |
WildFly configuration
Finally, we need to add the keystore to WildFly. There are many posts detailing how to set up SSL for WildFly, and this is really more focused on renewing certificates, so we’ll check just that. Find the <security-realms> section, and specifically the one you’re setting up – Undertow in my case.
Update your <ssl> tag as
|
1 2 3 4 5 6 7 8 9 |
<server-identities> <ssl> <keystore path="NEW_KEYSTORE_FILE.jks" relative-to="jboss.server.config.dir" keystore-password="WILDFLY_NEW_STORE_PASS" alias="KEYSTOREALIAS" key-password="WILDFLY_NEW_KEY_PASS"/> </ssl> </server-identities> |
Reboot WildFly with
|
1 |
sudo system wildfly restart |
And you’re all done. For a coupla months.
Hey! Thank very much you for this article, it was just what I needed.
Pleasure! I kept forgetting how to do it, hence the article.
Extremely helpful, thank you!
Hi!, Greate post
it helped me to generate all files needed,
i’ve seen the we need to add this to the web.xml file in our project :
Secure URLs
/*
CONFIDENTIAL
but i’m using java class configuration , how can i translate this XML to java class?
I’m using this class:
MvcWebApplicationInitializer extends AbstractAnnotationConfigDispatcherServletInitializer
does anyone know how to acomplish this ?