We Keep Coding

SSL configuration is not working in Wildfly 26.0.1

We are trying to migrate Wildfly from 8.1.0.Final to 26.0.1.Final. Currently Wildfly is running in standalone mode hence standalone.xml is in used for configurations and no domain configuration so far.
Everything is working that includes, management console, package deployments etc but requesting URL with https gives us "This site can't be reached". It appears there is something wrong with SSL configuration in Wildfly 26.0.1.Final because same SSL certificate have been used in version 8.1.0.Final.
Here is SSL/TLS configuration we are using:
<tls>
<key-stores>
<key-store name="abc-keystore">
<credential-reference clear-text="clearpasswordonetwothree"/>
<implementation type="JKS"/>
<file path="abc-keystore.jks" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="applicationKM" key-store="abc-keystore">
<credential-reference clear-text="clearpasswordonetwothree"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
</server-ssl-contexts>
</tls>
We've removed generate-self-signed-certificate-host="localhsot" from configuration because certificate is not self-signed in our case.
Like I mentioned before, same SSL certificate have been used in version 8.1.0.
Please be noted that this is specifically related to version 26.0.1.Final and I have no idea if any more configuration is required apart from the above.
Any help is highly appreciated.

This is how I sorted out with the help of Wildfly support. In my case it's standalone mode.
TLS Block:
<tls>
<key-stores>
<key-store name="applicationKS">
<credential-reference clear-text="password"/>
<implementation type="JKS"/>
<file path="C:\wildfly26\application.keystore.jks"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
<credential-reference clear-text="password"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="applicationSSC" protocols="TLSv1.2" key-manager="applicationKM"/>
</server-ssl-contexts>
</tls>
Reference SSL context in https-listener
<https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true"/>
Socket Binding under socket-binding-group
Change port from 8443 to 443
<socket-binding name="https" port="${jboss.https.port:443}"/>
Configure Interface
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:0.0.0.0}"/>
</interface>
</interfaces>

I ran into the same problem since they removed the security realms. I used the top part of this manual: https://docs.jboss.org/author/display/WFLY/Simple%20SSL%20Migration.html
My setup was that I had a .cer certificate and key, I had to re-create the keystore using these two answers: How to create an empty java trust store? and How to import an existing X.509 certificate and private key in Java keystore to use in SSL?
create keystore with dummy certificate: keytool -genkeypair -alias boguscert -storepass changeit -keypass changeit -keystore server.keystore -dname "CN=Developer, OU=Department, O=Company, L=City, ST=State, C=CA"
delete dummy certificate from keystore: keytool -delete -alias boguscert -storepass changeit -keystore server.keystore
Create pkcs12 certificate from key and .crt file openssl pkcs12 -export -in <SERVERNAME>.crt -inkey <SERVERNAME>.key -out server.p12 -name server
import pkcs12 certificate into empty keystore: keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias server
I then followed the top part of jboss documentation I linked above above using the the wildfly-cli located in the bin directory. This writes the needed xml into the standalone.xml so make sure you use the vanilla one that ships with wildfly 26.0.1. After that I had to enable the ssl redirection using this: Redirect http requests to https in wildfly 10
Hope it helps

Here is how my Widfly (20) is configured regarding SSL.
Assuming you have already setup a Java keystore whose entry named 'server' is containing your certificate/key, you have to tell Wildfly to look for that particular alias ('server') in your keystore:
<management>
<security-realms>
...
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="..." alias="server" key-password="..." generate-self-signed-certificate-host="localhost"/>
</ssl>
</server-identities>

Debian 9 Tomcat 9 Let's Encrypt SSL config

It drives me nuts now.
I have created sym links to the PEM files. I made the PEM files readable for the tomcat user. I set the server.xml to use SSL. And the connector fails to start.
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
clientAuth="false"
sslProtocol="TLS"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
defaultSSLHostConfigName="mydomain.com"
>
<SSLHostConfig hostName="mydomain.com" protocols="+TLSv1,+TLSv1.1,+TLSv1.2">
<Certificate
certificateKeyFile="conf/privkey.pem"
certificateFile="conf/cert.pem"
certificateChainFile="conf/chain.pem"
type="UNDEFINED"
/>
</SSLHostConfig>
</Connector>
I did try to change the type to RSA, to no avail. All I see in the log is:
02-Jan-2021 17:40:54.398 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio-8443"]
02-Jan-2021 17:40:54.466 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1013)
... some lines removed
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
Caused by: java.lang.IllegalArgumentException
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
... some lines are removed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
... 13 more
Caused by: java.io.IOException
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:302)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:98)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
... 20 more
I've checked the SSLUtilBase.java code (tomcat 9.0.33):
if (certificate.getCertificateFile() == null) {
throw new IOException(sm.getString("jsse.noCertFile"));
}
I did try to copy the files instead of using sym links. No avail. Removed the comments from the cert files. No avail. It seems tomcat cannot find the files I've specified in the server.xml.
What do I miss?

Whenever you use one of the deprecated properties on a connector, Tomcat creates an <SSLHostConfig> element with hostName="_default_" and a <Connector> element inside it. The error is caused by the lack of the certificateFile on this particular element.
Remove the deprecated attributes (clientAuth, sslProtocol) from the <Connector> element and everything should work.
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
defaultSSLHostConfigName="mydomain.com">
<SSLHostConfig hostName="mydomain.com" protocols="TLSv1+TLSv1.1+TLSv1.2">
<Certificate
certificateKeyFile="conf/privkey.pem"
certificateFile="conf/cert.pem"
certificateChainFile="conf/chain.pem"
type="UNDEFINED"
/>
</SSLHostConfig>
</Connector>
Remark: the sslProtocol attribute is a characteristic of JSSE and should always be left at the default value (TLS).

I had the same issue with Ubuntu 20.04 and Tomcat 9.0.52.
Tomcat - server.xml - certificateKeyFile
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
I also tried everything that you described above and I also was not able to make the Tomcat Connector with certificateKeyFile to work.
Note, on RedHat Linux 7/8 it works fine though!!! I only got this issue in Ubuntu 20.04.
The good news is it works fine in Ubuntu 20.04 if you use a keystore instead of the certificateKeyFile.
You will need to create the keystore as the user that runs tomcat, in my case the user named "tomcat", then created the CSR using the keystore, issue the certificate, and imported the certificate into the keystore.
--Create the keystore folder and grant the proper permissions:
su - root
mkdir /rhdata/sslcert
chown -R tomcat:tomcat /rhdata/sslcert
su - tomcat
cd /rhdata/sslcert
--Create the PKCS12 keystore (must do the previous step):
su - tomcat
/usr/lib/jvm/java-11-openjdk-amd64/bin/keytool -genkey -alias tomcat -storetype PKCS12 -keyalg RSA -keystore /rhdata/sslcert/.keystore
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/keytool -genkey -alias tomcat -storetype PKCS12 -keyalg RSA -validity 3600 -keysize 2048 -keystore /rhdata/sslcert/.keystore
Enter keystore password: key$tom#2021
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/keytool --list --keystore /rhdata/sslcert/.keystore -storepass 'key$tom#2021'
--Create the CSR:
su - tomcat
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/keytool -certreq -keyalg RSA -alias tomcat -file /rhdata/sslcert/keytool_cert/certreq.csr -keystore /rhdata/sslcert/.keystore -storepass 'key$tom#2021'
--Create the new certificate from the certificate authority using the CSR
--Import the new certificate into the keystore:
su - tomcat
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/keytool -import -alias tomcat -keystore /rhdata/sslcert/.keystore -storepass 'key$tom#2021' -file /rhdata/sslcert/keytool_cert/certnew.p7b
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/keytool -import -alias tomcat -keystore /rhdata/sslcert/.keystore -storepass 'key$tom#2021' -file /rhdata/sslcert/keytool_cert/certnew.cer
--This is the new Tomcat connector:
Tomcat - server.xml - keystore
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/rhdata/sslcert/.keystore" keystorePass="key$tom#2021"
clientAuth="false" sslProtocol="TLS"/>
--Verify the new Tomcat server.xml file
su - tomcat
cd /usr/local/tomcat9/conf
/usr/local/tomcat9/bin/configtest.sh
--Then, stop/start Tomcat.
su - root
systemctl stop tomcat.service
systemctl start tomcat.service
systemctl status tomcat.service
vi /usr/local/tomcat9/logs/catalina.out <-- shall not have any errors!!!

SSL certificate installation on Wildfly server

I was trying to install SSL certificate on wildfly application server which is hosted in aws Ec2 instance.
I purchased SSL certificate in godaddy. I downloaded SSL ssl certificate zip from godaddy portal. Which consists of following
1 .gd_bundle-g2-g1.crt
2 .gdig2.crt.pem
3. 70c350d31695.crt
4. 70c350d31695.pem
Created keystore and imported certificates in to keystore with following command
keytool -genkey -alias wildfly -keyalg RSA -keystore wildfly.jks
keytool -import -alias root -keystore wildfly.jks -trustcacerts -file 70c350d31695.crt
keytool -import -alias intermed -keystore wildfly.jks -trustcacerts -file gd_bundle-g2-g1.crt
Also done configuration in wildfly as follows
standalone.xml
<security-realm`enter code here` name="SslRealm">
<server-identities>
<ssl>
<keystore path="/home/centos/ssl/newssl/wildfly.jks" alias="wildfly" keystore-password="OHGv216TZDhbd" />
</ssl>
</server-identities>
</security-realm>
and
<https-listener name="default-ssl" socket-binding="https" security-realm="SslRealm"/>
But after restarts application, keystore recognized but https certificates not recognized. When i am double click on certificate in browesr it has only keystore information not certificate information.
Please help me to fix this.
In browser certificate error like following

You need a single entry I think in your keystore with all the details. You might find it easier using KSE (https://keystore-explorer.org/) rather than the cli

Keystore not working with CA cert in wildfly

So I bought a certificate I got a certificate, a key, and intermediate that has 2 beginnings I dont know if that counts or should be add as separated intermediate.
I added the certificate and the intermidate like this.
keytool -import -trustcacerts -alias rootmydomain -file rootmydomain.crt -keystore mykeystore.keystore
keytool -import -trustcacerts -alias interm.mydomain -file interm.mydomain.crt -keystore mykeystore.keystore
I didnt have a problem so far, it crated a mykeystore.keystore file in my wildfly/standalone/configuration/ folder. I was even able to list my entries in mykeystore.keystore.
Then added the following to my standalone.xml.
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="mykeystore.keystore" relative-to="jboss.server.config.dir" keystore-password="mypassword" alias="rootmydomain" key-password="mypassword"/>
</ssl>
</server-identities>
</security-realm>
And I get the followin error:
04:55:22,538 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.server.controller.management.security_realm.ssl-realm.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.ssl-realm.key-manager: WFLYDM0083: The KeyStore /opt/wildfly-10.0.0.Final/standalone/configuration/mykeystore.keystore does not contain any keys.
I had the same configuration with an cert generated by myself and it worked. I dont know why I am not able to make is work like this.

Based on the commands you issued, there are indeed no keys in your keystore, just certificates. You need to get your private key in the keystore in order for Wildfly to be able to pick it up.
importing an existing x509 certificate and private key in Java keystore to use in ssl is an example of how it can be done.

SSL not working in Wildfly

I checked Wildfly docs and also other sources, but I just can't get SSL to work in Wildfly.
I exported my keystore file:
openssl pkcs12 -export -out output_cert.pfx -inkey domain.key -in domain.crt -certfile ../ca.crt
keytool -v -importkeystore -srckeystore output_cert.pfx -srcstoretype PKCS12 -destkeystore output_store.jks -deststoretype JKS
I got no errors in the commands above.
Then I configured standalone.xml.
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="SSL/output_store.jks" relative-to="jboss.server.config.dir" keystore-password="mypassword" alias="1" key-password="mypassword"/>
</ssl>
</server-identities>
</security-realm>
And I added this to the default-server.
<https-listener name="https" security-realm="ssl-realm" socket-binding="https"/>
I started Wildfly, no errors appeared in the log and I found this line:
10:17:58,475 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0006: Undertow HTTPS listener https listening on my_ip:8443
Then I deployed an application to the root (/) web context and tried to access it through my_ip:8443, https://my_ip, my_domain:8443, https://my_domain.
However I always get a page with the message "The connection was reset". If I change the URL to my_ip:8080, the application can be found through http.
Anyone have any idea what I might be doing wrong?

It was a really silly mistake.
I had to try to access https://my_domain:8443.
I had tried all combinations, except the correct one.