Geek Answers Handbook

Multiple WildFly Domains and SSL Certificates

I have two different domains

  • example1.com
  • example2.com

Each domain has its own SSL certificate.

What I'm trying to do now uses both domains for the same SSL-enabled WildFly instance.

The WildFly documentation states that I can only reference one certificate in a keystore. Thus, I cannot simply define one <security-realm> with one key store containing both certificates.

So I defined two different <security-realm> . One for each domain.

  <security-realm name="RealmExample1"> <server-identities> <ssl> <keystore path="example1.jks" keystore-password="secret" /> </ssl> </server-identities> ... </security-realm> <security-realm name="RealmExample2"> <server-identities> <ssl> <keystore path="example2.jks" keystore-password="secret2" /> </ssl> </server-identities> ... </security-realm>

However, I cannot add two security domains to the same host.

 <server name="default-server"> <http-listener name="default" socket-binding="http" redirect-socket="https-ext"/> <https-listener name="default-ssl" security-realm="UndertowRealm" socket-binding="https"/> <host name="default-host" alias="localhost"> <filter-ref name="central-basic-auth"/> </host> </server>

Now, if I define a server for each domain, I cannot reference the same http / https listener binding because the ports are blocked.

The only solution I have found so far consists of two public IP addresses and defining two interfaces and binding the socket to http / https for each interface. Then I can define two servers with different aliases and different sockets.

At the moment, WildFly, unfortunately, does not support SNI.

Is there any other possible solution?

+6
source share
2 answers

Although this will complicate your deployment a bit, do you think Apache httpd is in front of your Wildfly server? It is not difficult, and it supports SNI. You will need to change your certificates for Apache, but then using Apache shared hosting you can have something like:

 <VirtualHost _default_:443> ServerName www.firstdomain.com ProxyPreserveHost on ProxyPass / http://localhost:8080/ ProxyTimeout 360 </VirtualHost>

in the first virtual host file and:

 <VirtualHost _default_:443> ServerName www.seconddomain.com ProxyPreserveHost on ProxyPass / http://localhost:9080/ # if it is a different instance or ProxyPass / http://localhost:8080/app2 # if it the same instance, different webapp ProxyTimeout 360 </VirtualHost>

Again, the problem is that you have a different process to support, and you need to configure SSL for Apache. But you can use Apache to do SSL and, if you want, things like:

 Header set Content-Security-Policy ... Header set X-XSS-Protection "1; mode=block"

This setup worked well for me with Tomcat or Wildfly for Apache.

+5
source

Sorry for the necroposting, but there is a simpler option - just add multiple domains to a single certificate.

The obvious way with a wildcard certificate.

But also Let Encrypt allows you to specify multiple domains for a single certificate. And it works great, no need to wait for free substitution certificates.

 sh /root/.acme.sh/acme.sh --issue -d yourdomain.com -d www.yourdomain.com -d more.yourdomain.com -w /opt/wildfly-10.1.0.Final/welcome-content
0
source

More articles:


All Articles