How to prepare and add Godaddy SSL wildcard certificate to Wildfly/JBoss

Question

I have a done some research into how to prepare the wildcard certificate and add it in a manner in which it could be used within WildFly/JBoss (I'm using WildFly 16, but it should be the same for JBoss).

Files I have (and what they are - gathered from Discerning GoDaddy SSL Certificate Types):

• <series of numbers>.crt: My certificate
• gd_bundle-g2-g1.crt: GoDaddy Certificate Bundles - G2 With Cross to G1, includes Root
• gdig2.crt.pem: GoDaddy Secure Server Certificate (Intermediate Certificate) - G2
• privatekey.txt: Private Key for my certificate

Through a series of research and assistance from a coworker, I found I could prepare and add the certificates via the following commands:

openssl pkcs12 -export -in <series of numbers>.crt -inkey privatekey.txt -out outfile.pkcs12 -name yourdomain.com -CAfile gd_bundle-g2-g1.crt -caname root
<enter a password>
keytool -importkeystore -trustcacerts -deststorepass <newpass> -destkeypass <newpass> -destkeystore new.keystore -srckeystore outfile.pkcs12 -srcstoretype PKCS12 -srcstorepass <password entered above> -alias yourdomain.com

So, this all works, from a browser anyway. I can browse to pages hosted via WildFly and they work fine and the browser reports no SSL errors. However, an application that I have which uses WebSocket connections failed to verify the certificate. To look into this more I used the following against my site:

openssl s_client -connect yoursite.yourdomain.com:443

This resulted in the following:

Verification error: unable to verify the first certificate

After researching this, I found that Firefox will perform "certificate discovery" and resolve the chain to verify the server's certificate, even if it wasn't provided. So here I am trying to determine what's missing...

Answer 1

While trying to resolve this, I suspected the excluded files were necessary for the resolution of the chain, but couldn't easily determine how to get them in. I did some trial and error and tested with openssl s_client each time until I figured out what worked. This was the series of commands that resolved the chain directly from the server:

cat <series of numbers>.crt gdig2.crt.pem > bundle.crt
openssl pkcs12 -export -in bundle.crt -inkey privatekey.txt -out outfile.pkcs12 -name yourdomain.com -CAfile gd_bundle-g2-g1.crt -caname root
<enter a password>
keytool -importkeystore -trustcacerts -deststorepass <newpass> -destkeypass <newpass> -destkeystore new.keystore -srckeystore outfile.pkcs12 -srcstoretype PKCS12 -srcstorepass <password entered above> -alias yourdomain.com

A simple addition resolved the problem. I hope this is helpful for somoene!

Answer 2

It's literally impossible. I set up two-way SSL on Android and WildFly and I can't get one-way SSL to work with WildFly. These stupid SSL providers only work in high-level applications like AWS EC2 and Google App Engine. There's absolutely no tutorials on installing these certificates in WildFly.

I've been trying to set up GoDaddy and Comodo certificates on WildFly for hours.

Certbot with Let's Encrypt works perfectly on WildFly. Unfortunately, stupid iOS doesn't work with Let's Encrypt.

Your only option is to use a 3rd party proxy application like Nginx.