java - 使用 letcrypt 证书在 Wildfly 19 上设置 ssl 证书

Question

我正在尝试在 CentOS 上运行的 wildfly 19.0.0-Final 上实现 SSL 证书centos-release-7-7.1908.0.el7.centos.x86_64 与 Java openjdk 版本“1.8.0_242”OpenJDK 运行时环境(内部版本 1.8.0_242-b08)OpenJDK 64 位服务器虚拟机(内部版本 25.242-b08，混合模式)

我已执行以下步骤来映射 https://www.example.com域到我的 Wildfly 内容工资单

我的 keystore 位于以下位置:/opt/wildfly-19.0.0.Final/standalone/configuration/www.example.com.jks

正在将证书添加到服务器。 http://www.mastertheboss.com/jboss-server/jboss-security/complete-tutorial-for-configuring-ssl-https-on-wildfly

登录管理控制台 sh/opt/wildfly-19.0.0.Final/bin/jboss-cli.sh连接

然后运行以下脚本

batch
# Configure Server Keystore
/subsystem=elytron/key-store=demoKeyStore:add(path=server.keystore,relative-to=jboss.server.config.dir, credential-reference={clear-text=secret},type=JKS)
# Server Keystore credentials  
/subsystem=elytron/key-manager=demoKeyManager:add(key-store=demoKeyStore,credential-reference={clear-text=secret})
# Server keystore Protocols  
/subsystem=elytron/server-ssl-context=demoSSLContext:add(key-manager=demoKeyManager,protocols=["TLSv1.2"]) 
# This is only needed if WildFly uses by default the Legacy security realm
/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
# Store SSL Context information in undertow
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=demoSSLContext)

run-batch

reload

现在它将在配置文件中添加一个 tls 部分

看起来像

<tls>
    <key-stores>
        <key-store name="demoKeyStore">
        <credential-reference clear-text="secret"/>
        <implementation type="JKS"/>
        <file path="server.keystore" relative-to="jboss.server.config.dir"/>
        </key-store>
    </key-stores>
    <key-managers>
        <key-manager name="demoKeyManager" key-store="demoKeyStore">
        <credential-reference clear-text="secret"/>
        </key-manager>
    </key-managers>
    <server-ssl-contexts>
        <server-ssl-context name="demoSSLContext" protocols="TLSv1.2" key-manager="demoKeyManager"/>
    </server-ssl-contexts>
</tls>

停止wildfly以开始更改配置。/usr/sbin/wildfly-19.0.0.最后停止阻止野蝇:
将其更改为

 <tls>
                <key-stores>
                    <key-store name="demoKeyStore">
                        <credential-reference clear-text="Some1pwD"/>
                        <implementation type="JKS"/>
                        <file path="www.example.com.jks" relative-to="jboss.server.config.dir"/>
                    </key-store>
                </key-stores>
                <key-managers>
                    <key-manager name="demoKeyManager" key-store="demoKeyStore">
                        <credential-reference clear-text="Some1pwD"/>
                    </key-manager>
                </key-managers>
                <server-ssl-contexts>
                    <server-ssl-context name="demoSSLContext" protocols="TLSv1.2" key-manager="demoKeyManager"/>
                </server-ssl-contexts>
            </tls>

/usr/sbin/wildfly-19.0.0.最终启动

我无法访问https://www.example.com上的wildfly而http://www.example.com正在工作

Answer 1

可以使用 WildFly CLI 从 Let's Encrypt 获取证书。请查看以下描述如何执行此操作的博客文章:

https://developer.jboss.org/people/fjuma/blog/2018/08/31/obtaining-certificates-from-lets-encrypt-using-the-wildfly-cli

第 4.3.6 节中还有其他文档:

https://docs.wildfly.org/19/WildFly_Elytron_Security.html#configure-ssltls

请注意，要使用新证书而无需重新启动服务器，您只需重新初始化 key 管理器(例如，/subsystem=elytron/key-manager=httpsKM:init() )。