I checked Wildfly docs and also other sources, but I just can't get SSL to work in Wildfly.
I exported my keystore file:
openssl pkcs12 -export -out output_cert.pfx -inkey domain.key -in domain.crt -certfile ../ca.crt
keytool -v -importkeystore -srckeystore output_cert.pfx -srcstoretype PKCS12 -destkeystore output_store.jks -deststoretype JKS
I got no errors in the commands above.
Then I configured standalone.xml.
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="SSL/output_store.jks" relative-to="jboss.server.config.dir" keystore-password="mypassword" alias="1" key-password="mypassword"/>
</ssl>
</server-identities>
</security-realm>
And I added this to the default-server.
<https-listener name="https" security-realm="ssl-realm" socket-binding="https"/>
I started Wildfly, no errors appeared in the log and I found this line:
10:17:58,475 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0006: Undertow HTTPS listener https listening on my_ip:8443
Then I deployed an application to the root (/) web context and tried to access it through my_ip:8443, https://my_ip, my_domain:8443, https://my_domain.
However I always get a page with the message "The connection was reset". If I change the URL to my_ip:8080, the application can be found through http.
Anyone have any idea what I might be doing wrong?
It was a really silly mistake.
I had to try to access https://my_domain:8443.
I had tried all combinations, except the correct one.
Related
We are trying to migrate Wildfly from 8.1.0.Final to 26.0.1.Final. Currently Wildfly is running in standalone mode hence standalone.xml is in used for configurations and no domain configuration so far.
Everything is working that includes, management console, package deployments etc but requesting URL with https gives us "This site can't be reached". It appears there is something wrong with SSL configuration in Wildfly 26.0.1.Final because same SSL certificate have been used in version 8.1.0.Final.
Here is SSL/TLS configuration we are using:
<tls>
<key-stores>
<key-store name="abc-keystore">
<credential-reference clear-text="clearpasswordonetwothree"/>
<implementation type="JKS"/>
<file path="abc-keystore.jks" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="applicationKM" key-store="abc-keystore">
<credential-reference clear-text="clearpasswordonetwothree"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
</server-ssl-contexts>
</tls>
We've removed generate-self-signed-certificate-host="localhsot" from configuration because certificate is not self-signed in our case.
Like I mentioned before, same SSL certificate have been used in version 8.1.0.
Please be noted that this is specifically related to version 26.0.1.Final and I have no idea if any more configuration is required apart from the above.
Any help is highly appreciated.
This is how I sorted out with the help of Wildfly support. In my case it's standalone mode.
TLS Block:
<tls>
<key-stores>
<key-store name="applicationKS">
<credential-reference clear-text="password"/>
<implementation type="JKS"/>
<file path="C:\wildfly26\application.keystore.jks"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
<credential-reference clear-text="password"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="applicationSSC" protocols="TLSv1.2" key-manager="applicationKM"/>
</server-ssl-contexts>
</tls>
Reference SSL context in https-listener
<https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true"/>
Socket Binding under socket-binding-group
Change port from 8443 to 443
<socket-binding name="https" port="${jboss.https.port:443}"/>
Configure Interface
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:0.0.0.0}"/>
</interface>
</interfaces>
I ran into the same problem since they removed the security realms. I used the top part of this manual: https://docs.jboss.org/author/display/WFLY/Simple%20SSL%20Migration.html
My setup was that I had a .cer certificate and key, I had to re-create the keystore using these two answers: How to create an empty java trust store? and How to import an existing X.509 certificate and private key in Java keystore to use in SSL?
create keystore with dummy certificate: keytool -genkeypair -alias boguscert -storepass changeit -keypass changeit -keystore server.keystore -dname "CN=Developer, OU=Department, O=Company, L=City, ST=State, C=CA"
delete dummy certificate from keystore: keytool -delete -alias boguscert -storepass changeit -keystore server.keystore
Create pkcs12 certificate from key and .crt file openssl pkcs12 -export -in <SERVERNAME>.crt -inkey <SERVERNAME>.key -out server.p12 -name server
import pkcs12 certificate into empty keystore: keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias server
I then followed the top part of jboss documentation I linked above above using the the wildfly-cli located in the bin directory. This writes the needed xml into the standalone.xml so make sure you use the vanilla one that ships with wildfly 26.0.1. After that I had to enable the ssl redirection using this: Redirect http requests to https in wildfly 10
Hope it helps
Here is how my Widfly (20) is configured regarding SSL.
Assuming you have already setup a Java keystore whose entry named 'server' is containing your certificate/key, you have to tell Wildfly to look for that particular alias ('server') in your keystore:
<management>
<security-realms>
...
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="..." alias="server" key-password="..." generate-self-signed-certificate-host="localhost"/>
</ssl>
</server-identities>
I am trying to run keycloak on HTTPS using a self-signed certificate.
I followed this doc https://wjw465150.gitbooks.io/keycloak-documentation/content/server_installation/topics/network/https.html.
I have done everything as mentioned but skipped the CA certificate request because I need self-signed.
But it is still running in HTTP and not HTTPS .
It would be great if anyone would be able to guide me in this.
I have created the certificate with the following command:
keytool -genkey -alias localhost -keyalg RSA -keystore keycloak.jks -validity 10950
I have made the following changes in standalone.xml:
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="keycloak.jks" relative-to="jboss.server.config.dir" alias="localhost" keystore-password="my_passward" />
</ssl>
</server-identities>
</security-realm>
and changed the HTTPS listener part to the new security realm :
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm" enable-http2="true"/>
What am I missing? why is it not running in HTTPS?
Thanks in advance.
You need to add the new security realm element using CLI tools.
Do refer to this official documentation for more.
I'm trying to enable SSL on my wildfly 11 application server, i bought an ssl certificate in godaddy and downloaded a zip file with this inside:
1. 22c8728db3996008.crt
2. 22c8728db3996008.pem
3. gd_bundle-g2-g1.crt
I follow this steps to install, with this commands:
1. keytool -genkey -alias myalias -keyalg RSA -keystore keystore.jks
2. keytool -import -alias root -keystore keystore.jks -trustcacerts -file C:\path\to\cert\22c8728db3996008.crt
3. keytool -import -alias intermed -keystore keystore.jks -trustcacerts -file C:\path\to\cert\gd_bundle-g2-g1.crt
Then copy the keystore.jks file on the standalone/configuration directory
And modify standalone.xml file:
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore path="keystore.jks" relative-to="jboss.server.config.dir" keystore-password="mypassword" alias="myalias" key-password="mypassword"/>
</ssl>
</server-identities>
<authentication>
<local default-user="$local" allowed-users="*" skip-group-loading="true"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
And
<https-listener name="default-ssl" socket-binding="https" security-realm="SslRealm"/>
Then restart the server but booting appears this error:
ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service org.wildfly.core.management.security.realm.SslRealm.key-manager: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.SslRealm.key-manager: Failed to start service
at org.jboss.msc//org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1978)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.lang.IllegalStateException: org.jboss.msc.service.StartException in anonymous service: WFLYDM0086: The KeyStore can not be found at keystore.jks
at org.jboss.as.domain-management//org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:173)
at org.jboss.as.domain-management//org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(AbstractKeyManagerService.java:131)
at org.jboss.as.domain-management//org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:89)
at org.jboss.msc//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
at org.jboss.msc//org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
... 3 more
Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYDM0086: The KeyStore can not be found at keystore.jks
at org.jboss.as.domain-management//org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:114)
at org.jboss.as.domain-management//org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:169)
... 7 more
How can i install and use my ssl certificate?
After many tries, I was able to solve it.
First to create a keystore file (.keystore), install KeyStore Explorer and follow this steps.
Second for add the keytore file to Wildfly follow this steps.
To redirect all traffic from the server to HTTPS do with this.
And that's it, the SSL certificate works ok.
Hope this help to someone.
for the past two days I've been trying to do one thing, be able to access my webapp (localhost:8080/evop) as www.gestao.com.br and furthermore enable https on my web server so that https://www.gestao.com.br also works.
Summary
I need to have a localhost web application showing the https in front of it's URL (not the crossed red https).
PS: Using Tomcat as the web server and Windows and the host OS.
Explanation
We install Tomcat on each client so they can run our webapp locally at their companies, after sometime we started receiving some complaints that the connection is not secure, even though they are locally, so in order to please our client we decided to enable SSL on their Tomcat servers locally.
Using the keytool provided with JDK it was quite easy to enable https on the server, however the https was crossed by a read line because it was self-signed. At this point I knew a CA was needed to sign the certificate, but since this was all done locally and there were no real domains bought, using a CA like LetsEncrypt was not possible.
So enough of a background story, basically I have a Tomcat server on a Windows 10 machine and it needs to have a signed SSL certificate so the applications hosted on that server have https in front of their urls (not the crossed https)
What I did
In order to do that I found out I was gonna have to be my own CA. Here are my steps:
1. Being able to access my webapp using only a local domain www.gestao.com.br
My webapp url was localhost:8080/evop; However, I changed C:\Windows\System32\drivers\etc\hosts by adding 127.0.0.1 www.gestao.com.br to the end of the file, so I could access it using www.gestao.com.br:8080/evop
I solved the port in the URL problem by editing the server.xml on Tomcat conf folder and adding:
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" />
With that I was able to access it using www.gestao.com.br/evop
Last step was to change the folder called evop on Tomcat's webapps folder to ROOT and I was able to load my application with wwww.gestao.com.br
2. Becoming my own CA
Created a private key with:
openssl genrsa -des3 -out rootSSL.key 2048
Created the root certificate file:
openssl req -x509 -new -nodes -key rootSSL.key -sha256 -days 1024 -out rootSSL.pem
Added my new created root certificate to Microsoft Management Console (MMC) so Windows knows it can trust certificates signed by me.
3. Creating and signing a certificate for my own application
Created a private key for the new local domain with:
openssl req -new -sha256 -nodes -out gestao.csr -newkey rsa:2048 -keyout gestao.key -subj "/C=BR/ST=MS/L=Campo Grande/O=Evop/OU=Dev/CN=www.gestao.com.br/emailAddress=dev#evop.com.br"
Issue the certificate with:
openssl x509 -req -in gestao.csr -CA rootSSL.pem -CAkey rootSSL.key -CAcreateserial -out gestao.crt -days 500 -sha256 -extensions "authorityKeyIdentifier=keyid,issuer\n basicConstraints=CA:FALSE\n keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\n subjectAltName=DNS:www.gestao.com.br"
4. Configure Tomcat to use the certificate
I tried this two ways, first I opened a powershell on Tomcat conf folder to use rootSSL.pem to create a keystore using JDK's keytool with:
keytool -import -alias root -keystore tomcat.jks -trustcacerts -file rootSSL.pem
Then I also added the local domain certificate with:
keytool -import -alias tomcat -keystore tomcat.jks -file gestao.crt
After that I configured a connector on server.xml like so:
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" />
<Connector port="443" protocol="HTTP/1.1" maxThreads="150" SSLEnabled="true" compression="on" scheme="https" secure="true" keystoreFile="conf/tomcat.jks" keyAlias="tomcat" keystorePass="password" clientAuth="false" SSLVerifyClient="none" sslProtocol="TLSv1.2" />
However I was only able to access Tomcat using the 8080 port, if I tried to access it using port 443 I got a connection refused error.
Secondly I tried not using the keytool and setting the local domain certificate and key directly into the conector, like so:
<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/gestao.key" certificateFile="conf/gestao.crt" type="RSA" />
</SSLHostConfig>
</Connector>
However, that also did not let me connect using the 443 port.
References
Wil Brown’s article - Be your own certificate authority (CA) and issue certificates for your local development environment and get HTTPS working in Windows 10.
How to install an SSL certificate on a Tomcat server
So I bought a certificate I got a certificate, a key, and intermediate that has 2 beginnings I dont know if that counts or should be add as separated intermediate.
I added the certificate and the intermidate like this.
keytool -import -trustcacerts -alias rootmydomain -file rootmydomain.crt -keystore mykeystore.keystore
keytool -import -trustcacerts -alias interm.mydomain -file interm.mydomain.crt -keystore mykeystore.keystore
I didnt have a problem so far, it crated a mykeystore.keystore file in my wildfly/standalone/configuration/ folder. I was even able to list my entries in mykeystore.keystore.
Then added the following to my standalone.xml.
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="mykeystore.keystore" relative-to="jboss.server.config.dir" keystore-password="mypassword" alias="rootmydomain" key-password="mypassword"/>
</ssl>
</server-identities>
</security-realm>
And I get the followin error:
04:55:22,538 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.server.controller.management.security_realm.ssl-realm.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.ssl-realm.key-manager: WFLYDM0083: The KeyStore /opt/wildfly-10.0.0.Final/standalone/configuration/mykeystore.keystore does not contain any keys.
I had the same configuration with an cert generated by myself and it worked. I dont know why I am not able to make is work like this.
Based on the commands you issued, there are indeed no keys in your keystore, just certificates. You need to get your private key in the keystore in order for Wildfly to be able to pick it up.
importing an existing x509 certificate and private key in Java keystore to use in ssl is an example of how it can be done.