Securing your WildFly or JBoss EAP server with SSL/HTTPS is essential for protecting data and ensuring compliance with security best practices. Using Let’s Encrypt, you can automate the issuance and renewal of SSL certificates for your WildFly applications, removing the hassle of manual certificate management and ensuring your deployments remain secure with valid, up-to-date certificates.
This tutorial will guide you step-by-step to:
- Obtain a free SSL certificate using Let’s Encrypt.
- Configure WildFly to use the Let’s Encrypt certificate for HTTPS.
- Automate certificate renewal with minimal downtime.
Prerequisites
- A domain name pointing to your WildFly server’s IP.
- WildFly 26+ (or JBoss EAP 8+) installed.
- Root or sudo access to the server.
- Port 80 (HTTP) and 443 (HTTPS) open on your firewall.
- Basic knowledge of WildFly and SSL ( check this article: How to configure SSL/HTTPS on WildFly )
1. Install Certbot (Let’s Encrypt ACME Client)
On RHEL/Fedora/CentOS:
sudo dnf install certbot
On Ubuntu/Debian:
sudo apt install certbot
Verify the installation:
certbot --version
2. Obtain the Let’s Encrypt Certificate
You can use the standalone mode to generate the certificate:
sudo certbot certonly --standalone -d yourdomain.com
Certbot will automatically obtain and store certificates in:
/etc/letsencrypt/live/yourdomain.com/
Files you will use:
fullchain.pem(Certificate + CA chain)privkey.pem(Private key)
3. Convert PEM to PKCS12 for WildFly
WildFly prefers PKCS12 or JKS keystores. Convert the PEM files:
openssl pkcs12 -export \
-in /etc/letsencrypt/live/yourdomain.com/fullchain.pem \
-inkey /etc/letsencrypt/live/yourdomain.com/privkey.pem \
-out /etc/letsencrypt/live/yourdomain.com/keystore.p12 \
-name wildfly \
-password pass:changeit
You can adjust the password as needed.
4. Configure WildFly Elytron HTTPS Listener
Connect to the WildFly CLI:
$WILDFLY_HOME/bin/jboss-cli.sh --connect
Add the keystore:
/subsystem=elytron/key-store=letsencryptKS:add(path="/etc/letsencrypt/live/yourdomain.com/keystore.p12", type=PKCS12, credential-reference={clear-text="changeit"})
Add a key manager:
/subsystem=elytron/key-manager=letsencryptKM:add(key-store=letsencryptKS, credential-reference={clear-text="changeit"})
Add an SSL context:
/subsystem=elytron/server-ssl-context=letsencryptSSL:add(key-manager=letsencryptKM, protocols=["TLSv1.3","TLSv1.2"])
Bind the HTTPS listener to the Elytron SSL context:
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context, value=letsencryptSSL)
Reload WildFly:
reload
5. Automate Certificate Renewal
Let’s Encrypt certificates are valid for 90 days. Automate renewal using certbot and a renewal hook to convert and reload WildFly.
Create a renewal script (e.g., /usr/local/bin/renew_wildfly_ssl.sh):
#!/bin/bash
DOMAIN=yourdomain.com
PASSWORD=changeit
openssl pkcs12 -export \
-in /etc/letsencrypt/live/$DOMAIN/fullchain.pem \
-inkey /etc/letsencrypt/live/$DOMAIN/privkey.pem \
-out /etc/letsencrypt/live/$DOMAIN/keystore.p12 \
-name wildfly \
-password pass:$PASSWORD
$WILDFLY_HOME/bin/jboss-cli.sh --connect --command=:reload
Make it executable:
chmod +x /usr/local/bin/renew_wildfly_ssl.sh
Add to certbot renewal hooks:
echo "post_hook = /usr/local/bin/renew_wildfly_ssl.sh" | sudo tee -a /etc/letsencrypt/cli.ini
Test renewal:
sudo certbot renew --dry-run
Conclusion
By using Let’s Encrypt with WildFly, you can secure your Java applications with valid SSL certificates at no cost, automate renewals, and follow best practices for HTTPS in production environments. This approach simplifies your certificate management workflow while ensuring your WildFly server remains secure, compliant, and ready for modern deployments on cloud and containerized environments.
If you want to further improve your setup, consider TLS termination at a reverse proxy (such as NGINX or HAProxy) for scalability and easier certificate management in clustered WildFly deployments.