How to Use Let’s Encrypt for WildFly SSL Certificates

Securing your WildFly or JBoss EAP server with SSL/HTTPS is essential for protecting data and ensuring compliance with security best practices. Using Let’s Encrypt, you can automate the issuance and renewal of SSL certificates for your WildFly applications, removing the hassle of manual certificate management and ensuring your deployments remain secure with valid, up-to-date certificates.

This tutorial will guide you step-by-step to:

  • Obtain a free SSL certificate using Let’s Encrypt.
  • Configure WildFly to use the Let’s Encrypt certificate for HTTPS.
  • Automate certificate renewal with minimal downtime.

Prerequisites

  • A domain name pointing to your WildFly server’s IP.
  • WildFly 26+ (or JBoss EAP 8+) installed.
  • Root or sudo access to the server.
  • Port 80 (HTTP) and 443 (HTTPS) open on your firewall.
  • Basic knowledge of WildFly and SSL ( check this article: How to configure SSL/HTTPS on WildFly )

1. Install Certbot (Let’s Encrypt ACME Client)

On RHEL/Fedora/CentOS:

sudo dnf install certbot

On Ubuntu/Debian:

sudo apt install certbot

Verify the installation:

certbot --version

2. Obtain the Let’s Encrypt Certificate

You can use the standalone mode to generate the certificate:

sudo certbot certonly --standalone -d yourdomain.com

Certbot will automatically obtain and store certificates in:

/etc/letsencrypt/live/yourdomain.com/

Files you will use:

  • fullchain.pem (Certificate + CA chain)
  • privkey.pem (Private key)

3. Convert PEM to PKCS12 for WildFly

WildFly prefers PKCS12 or JKS keystores. Convert the PEM files:

openssl pkcs12 -export \
    -in /etc/letsencrypt/live/yourdomain.com/fullchain.pem \
    -inkey /etc/letsencrypt/live/yourdomain.com/privkey.pem \
    -out /etc/letsencrypt/live/yourdomain.com/keystore.p12 \
    -name wildfly \
    -password pass:changeit

You can adjust the password as needed.


4. Configure WildFly Elytron HTTPS Listener

Connect to the WildFly CLI:

$WILDFLY_HOME/bin/jboss-cli.sh --connect

Add the keystore:

/subsystem=elytron/key-store=letsencryptKS:add(path="/etc/letsencrypt/live/yourdomain.com/keystore.p12", type=PKCS12, credential-reference={clear-text="changeit"})

Add a key manager:

/subsystem=elytron/key-manager=letsencryptKM:add(key-store=letsencryptKS, credential-reference={clear-text="changeit"})

Add an SSL context:

/subsystem=elytron/server-ssl-context=letsencryptSSL:add(key-manager=letsencryptKM, protocols=["TLSv1.3","TLSv1.2"])

Bind the HTTPS listener to the Elytron SSL context:

/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context, value=letsencryptSSL)

Reload WildFly:

reload

5. Automate Certificate Renewal

Let’s Encrypt certificates are valid for 90 days. Automate renewal using certbot and a renewal hook to convert and reload WildFly.

Create a renewal script (e.g., /usr/local/bin/renew_wildfly_ssl.sh):

#!/bin/bash
DOMAIN=yourdomain.com
PASSWORD=changeit

openssl pkcs12 -export \
    -in /etc/letsencrypt/live/$DOMAIN/fullchain.pem \
    -inkey /etc/letsencrypt/live/$DOMAIN/privkey.pem \
    -out /etc/letsencrypt/live/$DOMAIN/keystore.p12 \
    -name wildfly \
    -password pass:$PASSWORD

$WILDFLY_HOME/bin/jboss-cli.sh --connect --command=:reload

Make it executable:

chmod +x /usr/local/bin/renew_wildfly_ssl.sh

Add to certbot renewal hooks:

echo "post_hook = /usr/local/bin/renew_wildfly_ssl.sh" | sudo tee -a /etc/letsencrypt/cli.ini

Test renewal:

sudo certbot renew --dry-run

Conclusion

By using Let’s Encrypt with WildFly, you can secure your Java applications with valid SSL certificates at no cost, automate renewals, and follow best practices for HTTPS in production environments. This approach simplifies your certificate management workflow while ensuring your WildFly server remains secure, compliant, and ready for modern deployments on cloud and containerized environments.

If you want to further improve your setup, consider TLS termination at a reverse proxy (such as NGINX or HAProxy) for scalability and easier certificate management in clustered WildFly deployments.

Was this article helpful? We need your support to keep MasterTheBoss alive!