Přeskočit na hlavní obsah

Simple TLS certificates in WildFly 18

It's just 2 weeks when WildFly 18 was released. It includes nice improvements in TLS certificates handling through ACME protocol (Automatic Certificate Management Environment), it greatly simplifies obtaining valid HTTPS certificates.

There was already a support for the Let's Encrypt CA in WildFly 14 as Farah Juma described in her blog post last year.

New WildFly version allows using other CA-s with ACME protocol support.
It also adds new switch --lets-encrypt to interactive mode of security enable-ssl-http-server JBoss CLI commands. Let's try it.

Before we jump on WildFly configuration, let's just mention the HTTPs can be used even in the default configuration and a self-signed certificate is generated on the fly. Nevertheless, it's not secure and you should not use it for any other purpose than testing.

Use Let's Encrypt signed certificate for HTTPs application interface

Start WildFly on a machine with the public IP address. Run it on the default HTTP(80) and HTTPs(443) ports.

# run the following command as a root, because it's using privileged port numbers
bin/standalone.sh -b \
  -Djboss.http.port=80 -Djboss.https.port=443
Connect JBoss CLI to the running WildFly instance:

bin/jboss-cli.sh --controller= --connect

and then run interactive Let's Encrypt configuration:

security enable-ssl-http-server --interactive --lets-encrypt

If you just confirm the defaults, agree to the Let's Encrypt terms of use and fill domain name(s), then the output can look like:
[standalone@ /] security enable-ssl-http-server --interactive --lets-encrypt
Please provide required pieces of information to enable SSL:

Let's Encrypt account key-store:
File name (default accounts.keystore.jks): 
Password (blank generated): 

Let's Encrypt certificate authority account:
Account name (default CertAuthorityAccount): 
Contact email(s) [admin@example.com,info@example.com]: 
Password (blank generated): 
Alias (blank generated): 
Certificate authority URL (default https://acme-v02.api.letsencrypt.org/directory): 

Let's Encrypt TOS (https://community.letsencrypt.org/tos)
Do you agree to Let's Encrypt terms of service? y/n:y

Certificate info:
Key-store file name (default default-server.keystore): 
Password (blank generated): 
Your domain name(s) (must be accessible by the Let's Encrypt server at 80 & 443 ports) [example.com,second.example.com]: blog.wildfly-administration-training.xyz
Alias (blank generated): 
Enable SSL Mutual Authentication y/n (blank n):

Let's Encrypt options:
account key store name: account-key-store-b31e7f3d-8d16-46af-914e-91c3084a99d3
password: rRp8j1lw
account keystore file accounts.keystore.jks will be generated in server configuration directory.
Let's Encrypt certificate authority account name: CertAuthorityAccount
contact urls: []
password: crmYAvbS
alias: account-key-store-alias-b31e7f3d-8d16-46af-914e-91c3084a99d3
certificate authority URL: https://acme-v02.api.letsencrypt.org/directory
You provided agreement to Let's Encrypt terms of service.

SSL options:
key store file: default-server.keystore
domain name: [blog.wildfly-administration-training.xyz]
password: Gl2T6lVM
validity: 90
alias: alias-b31e7f3d-8d16-46af-914e-91c3084a99d3
Certificate will be obtained from Let's Encrypt server and will be valid for 90 days.
Server keystore file will be generated in server configuration directory.

Do you confirm y/n :y
Server reloaded.
SSL enabled for default-server
ssl-context is ssl-context-b31e7f3d-8d16-46af-914e-91c3084a99d3
key-manager is key-manager-b31e7f3d-8d16-46af-914e-91c3084a99d3
key-store   is key-store-b31e7f3d-8d16-46af-914e-91c3084a99d3

Let's verify the HTTPs access in the browser:
Everything works now!

Use HTTPs for management interface

If you already have the certificate for the application interface, you can simply reuse it for the management by setting the existing keystore name (generated in my case).

security enable-ssl-management --key-store-name=key-store-b31e7f3d-8d16-46af-914e-91c3084a99d3

In case you didn't enable the https for application interface and you want to just a valid certificate for the management interface, then use again the interactive way:

security enable-ssl-management --interactive --lets-encrypt

Simple, isn't it? :)


Populární příspěvky z tohoto blogu

Three ways to redirect HTTP requests to HTTPs in WildFly and JBoss EAP

WildFly application server (and JBoss EAP) supports several simple ways how to redirect the communication from plain HTTP to TLS protected HTTPs. This article presents 3 ways. Two are on the application level and the last one is on the server level valid for requests to all deployments. 1. Request confidentiality in the deployment descriptor The first way is based on the Servlet specification. You need to specify which URLs should be protected in the web.xml deployment descriptor. It's the same approach as the one used for specifying which URLs require authentication/authorization. Just instead of requesting an assigned role, you request a transport-guarantee . Sample content of the WEB-INF/web.xml <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" version="3.1

Ignore the boring SSH error message - Host identification has changed!

The problem If you work with virtual machines in clouds, or you run an SSH server in Docker containers, then you've probably met the following error message during making ssh connection: (I'm connecting through SSH to a docker container) ~$ ssh -p 8822 root@localhost @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:smYv5yA0n9/YrBgJMUCk5dYPWGj7bTpU40M9aFBQ72Y. Please contact your system administrator. Add correct host key in /home/jcacek/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/jcacek/.ssh/known_hosts:107 remove with: ssh-keygen -f "/home/jcacek/.ssh/know

Enable Elytron in WildFly

Steps to enable Elytron in WildFly nightly builds. There is an ongoing effort to bring a new security subsystem Elytron to WildFly and JBoss EAP. For some time a custom server profile named standalone-elytron.xml  existed beside other profiles in standalone/configuration directory. It was possible to use it for playing with Elytron. The custom Elytron profile was removed now.  The Elytron subsystem is newly introduced to all standard server profiles. The thing is, the Elytron is not used by default and users have to enable it in the subsystems themselves. Let's look into how you can enable it. Get WildFly nightly build # Download WildFly nightly build wget --user=guest --password=guest https://ci.wildfly.org/httpAuth/repository/downloadAll/WF_Nightly/.lastSuccessful/artifacts.zip # unzip build artifacts zip. It contains WildFly distribution ZIP unzip artifacts.zip # get the WildFly distribution ZIP name as property WILDFLY_DIST_ZIP=$(ls wildfly-*-SNAPSHOT.zip) # un