====== SSL/TSL Certificates ======

When using HTTPS on your server you should most probably also provide a **valid** [[https://de.wikipedia.org/wiki/Transport_Layer_Security|TLS]] (aka SSL) certificate. Otherwise browsers tend to block access to your page or at least give a big warning that the page is not secure.

===== Let's Encrypt =====

[[https://letsencrypt.org|Let's Encrypt]] is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

https://letsencrypt.org/how-it-works/
http://knowles.co.za/creating-renewing-a-lets-encrypt-certificate-for-apache-and-wildfly/

==== Workflow when using WildFly ====

[[WildFly]] is not directly supported, so we have to use certbot's standalone mode.
Install certbot (see https://certbot.eff.org/#ubuntuxenial-other)

=== Certbot ===

Install certbot:

<code bash>
sudo apt update
sudo apt install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt update
sudo apt install certbot

sudo mkdir /opt/letsencrypt; cd /opt/letsencrypt
</code>
    
Then use interactive certificate creation (make sure port 80 or 443 are available!):

<code bash>
# sudo systemctl stop wildfly
sudo certbot certonly --standalone -d YOURDOMAIN
</code>

Then certificates reside in ''/etc/letsencrypt/live/YOURDOMAIN''

FIXME document backing up of certificates

== Create Java Keystore ==

Now we have to create a java keystore (.jks) for use with WildFly. Adapt the variables to match your use case, and note, that you should delete the lines containing passwords from your ''~/.bash_history'' (or equivalent):

<code bash>
YOURDOMAIN=example.com
YOURKEYSTORENAME=k
KEYSTOREALIAS=a
OPENSSL_PASS=p
WILDFLY_NEW_STORE_PASS=p
WILDLFY_NEW_KEY_PASS=p
NEW_KEYSTORE_FILE=f

sudo openssl pkcs12 -export -in /etc/letsencrypt/live/${YOURDOMAIN}/fullchain.pem -inkey /etc/letsencrypt/live/${YOURDOMAIN}/privkey.pem -out ${YOURKEYSTORENAME}.p12 -name ${KEYSTOREALIAS} -passout pass:${OPENSSL_PASS}
sudo keytool -importkeystore -deststorepass ${WILDFLY_NEW_STORE_PASS} -destkeypass ${WILDLFY_NEW_KEY_PASS} -destkeystore ${NEW_KEYSTORE_FILE}.jks -deststoretype PKCS12 -srckeystore ${YOURKEYSTORENAME}.p12 -srcstoretype PKCS12 -srcstorepass ${OPENSSL_PASS} -alias ${KEYSTOREALIAS}
</code>

Copy the keystore to WildFly:

<code bash>
sudo cp ${NEW_KEYSTORE_FILE}.jks /opt/wildfly/standalone/configuration
sudo chown wildfly:nogroup /opt/wildfly/standalone/configuration/${NEW_KEYSTORE_FILE}.jks
</code>

== WildFly Setup ==

Update the WildFly configuration in ''/opt/wildfly/standalone/configuration/standalone.xml'' in section server -> management:

<code xml>
<security-realm name="SslRealm">
    <server-identities>
        <ssl>
            <keystore path="NEW_KEYSTORE_FILE.jks" 
                      relative-to="jboss.server.config.dir" 
                      keystore-password="WILDFLY_NEW_STORE_PASS" 
                      alias="KEYSTOREALIAS" 
                      key-password="WILDFLY_NEW_KEY_PASS"/>
        </ssl>
    </server-identities>
</security-realm>
</code>

== Update certificate ==

Since the certificates are not valid for long (3 months) we need regular updates. Check the validity of your certificates:

<code bash>
sudo certbot certificates
</code>

In case WildFly uses port 80/443 you have to shut it down now. Unfortunately you can not specify a different port for the validation, see ''%%certbot --help standalone%%'' (especially the option ''%%--tls-sni-01-port%%''), and https://github.com/certbot/certbot/issues/2697.

Then renew the certificate (updates ''/etc/letsencrypt/live/${YOURDOMAIN}/fullchain.pem''):

<code bash>
sudo certbot renew
</code>

Then repeat the steps for creating a new java keystore.