Orestis Pantazos
Posted on September 30, 2020
Please make sure that you have the following PEM-encoded files:
- cert.pem: Server certificate only
- chain.pem: Root and intermediate certificates only, Let’s Encrypt chain
- fullchain.pem: Previous cert.pem and chain.pem combined
- privkey.pem: Your certificate's private key
Download the certbot-auto script
Change directory to your home directory
cd /home/orestis
Download certbot-auto from the internet as a superuser
sudo wget https://dl.eff.org/certbot-auto
Change mode for full-write access to this directory
sudo chmod a+x certbot-auto
The certbot is hopefully installed now, and we need to ask it to renew or create the certificate.
Stop all background services that are already running on port 80.
- certbot-auto renew
EXAMPLE:
certbot-auto certonly --standalone --standalone-supported-challenges http-01 --agree-tos --rsa-key-size 4096 --renew-by-default --email admin@example.com -d example.com -d www.example.com
REAL EXAMPLE:
certbot-auto certonly --standalone --standalone-supported-challenges http-01 --agree-tos --rsa-key-size 4096 --renew-by-default --email opantazos@gmail.com -d opendevops.dev -d www.opendevops.dev
The command line argument shows something like this in the end:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/*/fullchain.pem. Your cert will
expire on *. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew *all of your certificates, run
"certbot-auto renew"*
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
NOTE:
If you are working in Java environment, then the Java key store is the official place to store your private keys. Java desktop or web applications typically expect to get the keys that they need from JKS, and it is easy to access from your own Java applications. JKS is not accessible from outside Java environment.
PKCS#12 files (PFX) are the file format that is often called .p12 or .pfx where you can store a private key and certificates.
We nede to get the public and private keys into JBoss WildFly application server. For example, Apache, Nginx servers that were setup with the public and private keys pointed to separately, instead of, generally in Java, WildFly works off of a keystore (.jks). We need to convert the PEM file into a P12 file that is readable format by Java keytool.
Use OpenSSL security toolkit:
Example:
openssl pkcs12 -export -in /etc/letsencrypt/live/YOURDOMAIN/fullchain.pem -inkey /etc/letsencrypt/live/YOURDOMAIN/privkey.pem -out KEYSTORENAME.p12 -name KEYSTOREALIAS
Real Example:
YOURDOMAIN replacement is the folder corresponding to the domain object that you are generating the key for, and was present in the listed console output from the previous step.
KEYSTORENAME will become part of the generated file name (.p12), and will be used in the JBoss WildFly XML part of the configuration, as the KEYSTOREALIAS.
When you have pressed ENTER shortcut, you will be prompted and verified for a new password credential. This new password will be used in a moment, when we generate the keystore.
Generating Java keystore (.jks)
Example:
/usr/lib/jvm/jdk1.7.0_80/bin/keytool -importkeystore -deststorepass WILDFLY_NEW_STORE_PASS -destkeypass WILDFLY_NEW_KEY_PASS -destkeystore NEW_KEYSTORE_FILE.jks -srckeystore KEYSTORENAME.p12 -srcstoretype PKCS12 -srcstorepass PREVIOUSPASSWORD -alias KEYSTOREALIAS
Real Example:
/usr/lib/jvm/jdk1.8.0_80/bin/keytool -importkeystore -deststorepass athens -destkeypass athens -destkeystore mycert.jks -srckeystore mycert.p12 -srcstoretype PKCS12 -srcstorepass athens -alias mycert
Go to JBoss WildFly server config directory as superuser and copy the file mycert.jks:
sudo cp mycert.jks /opt/wildfly/standalone/configuration/
WILDFLY_NEW_STORE_PASS: It is keystore password credential
WILDFLY_NEW_KEY_PASS: It is the destination keystore password
NEW_KEYSTORE_FILE: It is the final .jks file name
Go to standalone.xml configuration file, follow and transfer the rule cases:
Example:
<server-identities>
<ssl>
<keystore path="NEW_KEYSTORE_FILE.jks"
relative-to="jboss.server.config.dir"
keystore-password="WILDFLY_NEW_STORE_PASS"
alias="KEYSTOREALIAS"
key-password="WILDFLY_NEW_KEY_PASS"/>
</ssl>
</server-identities>
Real Example:
<server-identities>
<ssl>
<keystore path="mycert.jks"
relative-to="jboss.server.config.dir"
keystore-password="athens"
alias="mycert"
key-password="athens"/>
</ssl>
</server-identities>
Last but not least, start the WildFly application server on run mode.
.\standalone.sh -b 0.0.0.0
Posted on September 30, 2020
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.