On Wed, 2022-07-13 at 15:38 -0500, John W. Himpel wrote:
I am trying to follow Farah Juma's Blog entry found at
https://developer.jboss.org/people/fjuma/blog/2018/08/31/obtaining-certif...
to configure wildfly to obtain a "Let's Encrypt" certificate for use by
wildfly (Version 26).
I have installed a new wildfly instance in /opt/wildfly/wf26. It starts successfully
using systemd.
I execute the jboss-cli command shown under the heading "Prerequisite
configuration" using the following command:
/opt/wildfly/wf26/bin/jboss-cli.sh --connect
batch --file=/home/jwhimpel/prerequisite.cli
run-batch
jboss-cli.sh responds with "The batch executed successfully".
In /opt/wildfly/wf26/standalone/log/server.log, I see:
2022-07-13 20:06:30,849 WARN [org.wildfly.extension.elytron] (MSC service thread 1-2)
WFLYELY00023: KeyStore file
'/opt/wildfly/wf26/standalone/configuration/server.keystore.jks' does not exist.
Used blank.
I'm assuming this is a harmless warning.
I execute the jboss-cli command shown under the heading "One-time
configuration" using the following command:
/opt/wildfly/wf26/bin/jboss-cli.sh --connect
batch --file=/home/jwhimpel/configure_account.cli
run-batch
jboss-cli.sh responds with "The batch executed successfully"
In /opt/wildfly/wf26/standalone/log/server.log, I see:
2022-07-13 20:07:12,878 WARN [org.wildfly.extension.elytron] (MSC service thread 1-3)
WFLYELY00023: KeyStore file
'/opt/wildfly/wf26/standalone/configuration/accounts.keystore.jks' does not
exist. Used blank.
Again, I'm assuming this is a harmless warning. However, an accounts.keystore.jks
file now appears under
/opt/wildfly/wf26/standalone/configuration/.
I execute the jboss-cli command shown under the heading "Obtain a certificate from
Let's Encrypt using the following
command:
/opt/wildfly/wf26/bin/jblss-cli.sh --connect
batch --file=/home/jwhimpel/obtain_certificate.cli
run-batch
jboss-cli.sh responds with: The batch failed with the following error (you are remaining
in the b
atch editing mode to have a chance to correct the error):
WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:
Step: step-1
Operation: /subsystem=elytron/key-store=serverKS:obtain-certificate(alias=server
,domain-names=[testWildfly.jlhimpel.net],certificate-authority-account=myLetsEnc
ryptAccount,agree-to-terms-of-service)
Failure: ELY10048: Challenge response failed validation by the ACME server
In /opt/wildfly/wf26/standalone/log/server.log, I see:
2022-07-13 20:25:48,624 ERROR [org.jboss.as.controller.management-operation]
(management-handler-thread - 2)
WFLYCTL0013: Operation ("obtain-certificate") failed - address: ([
("subsystem" => "elytron"),
("key-store" => "serverKS")
]) - failure description: "ELY10048: Challenge response failed validation by the
ACME server"
File prerequisite.cli:
/subsystem=elytron/key-store=serverKS:add(path=server.keystore.jks,
relative-to=jboss.server.config.dir, credential-
reference={clear-text=secret}, type=JKS)
File configure_account.cli:
/subsystem=elytron/key-store=accountsKS:add(path=accounts.keystore.jks,relative-to=jboss.server.config.dir,credential-
reference={clear-text=secret},type=JKS)
/subsystem=elytron/certificate-authority-account=myLetsEncryptAccount:add(alias=letsEncrypt,key-
store=accountsKS,contact-urls=[mailto:john@jlhimpel.net])
File obtain_certificate.cli:
/subsystem=elytron/key-store=serverKS:obtain-certificate(alias=server,domain-
names=[testWildfly.jlhimpel.net],certificate-authority-account=myLetsEncryptAccount,agree-to-terms-of-service)
firewall-cmd --list-all shows:
Server (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0 localhost
sources:
services: cockpit http https mountd nfs rpc-bind ssh
ports: 9990/tcp 9993/tcp 8080/tcp 8443/tcp 19990/tcp 19993/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
At this point, I am stumped as to what I might have done wrong. Any suggestions would be
greatly appreciated.
John
I discovered that my router was pointing inbound port 80 and 443 to another server. I
corrected the router settings and
reran the failing command.
I got the following on the console:
The batch failed with the following error (you are remaining in the batch editing mode to
have a chance to correct the
error):
WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:
Step: step-1
Operation: /subsystem=elytron/key-store=serverKS:obtain-certificate(alias=server
,domain-names=[testWildfly.jlhimpel.net],certificate-authority-account=myLetsEnc
ryptAccount,agree-to-terms-of-service)
Failure: ELY10048: Challenge response failed validation by the ACME server
I got the following in the server.log:
2022-07-14 20:55:12,431 ERROR [org.jboss.as.controller.management-operation]
(management-handler-thread - 6)
WFLYCTL0013: Operation ("obtain-certificate") failed - address: ([
("subsystem" => "elytron"),
("key-store" => "serverKS")
]) - failure description: "ELY10048: Challenge response failed validation by the ACME
server"
I see nothing in the journal log. I see nothing in the audit log.
I performed "certbot certificates" and there is no certificate listed for
testwildfly.jlhimpel.net.
If I look at
https://crt.sh, I see two certificates for
testwildfly.jlhimpel.net with
expiration dates in June of 2022.
I am at a loss for ideas or places to look.
John