For fedora, just run sudo dnf install golang or download and install from go website.
Dowload and install pebble.
go get -u github.com/letsencrypt/pebble/...
cd $GOPATH/src/github.com/letsencrypt/pebble && go install ./...Dowload and install minica, a small CA management tool.
go get github.com/jsha/minica
cd $GOPATH/src/github.com/jsha/minica && go install ./...For linux, consider the interface name as enp0s31f6.
10.10.10.10 is for the pebble server and 10.10.10.11 for the wildfly server.
sudo ifconfig enp0s31f6:0 10.10.10.10 netmask 255.255.255.0 up
sudo ifconfig enp0s31f6:1 10.10.10.11 netmask 255.255.255.0 up10.10.10.10 acme-v02.api.letsencrypt.org
10.10.10.10 acme-staging-v02.api.letsencrypt.org
10.10.10.11 www.foobar.comwww.foobar.com is the domain-names parameter to set in the obtain-certificate operation
Pebble have different endpoint names, so we must adjust it to make the ACME implementation works.
Edit go/src/github.com/letsencrypt/pebble/wfe/wfe.go and change accordingly.
DirectoryPath = "/directory"
RootCertPath = "/root"
noncePath = "/new-nonce"
newAccountPath = "/new-acct"
acctPath = "/my-account/"
newOrderPath = "/new-order"pebble by default have the certificates with CN=localhost, but that will fail to validate, the pebble certificate must set the same name as the public letsecrypt dns names: acme-v02.api.letsencrypt.org and acme-staging-v02.api.letsencrypt.org
Create the new certificates
cd go/src/github.com/letsencrypt/pebble/test/certs
minica -ca-cert pebble.minica.pem \
-ca-key pebble.minica.key.pem \
-domains acme-v02.api.letsencrypt.org,acme-staging-v02.api.letsencrypt.org \
-ip-addresses 10.10.10.10Edit the go/src/github.com/letsencrypt/pebble/test/config/pebble-config.json to set the recently created certificate and bind the ip address.
{
"pebble": {
"listenAddress": "10.10.10.10:443",
"certificate": "test/certs/acme-v02.api.letsencrypt.org/cert.pem",
"privateKey": "test/certs/acme-v02.api.letsencrypt.org/key.pem",
"httpPort": 5002,
"tlsPort": 5001
}
}The PEBBLE_VA_ALWAYS_VALID parameter is to relax the SSL validation.
The PEBBLE_VA_NOSLEEP parameter is to not delay the validation process.
You must run as root as it binds the 443 port.
cd go/src/github.com/letsencrypt/pebble
sudo PEBBLE_VA_ALWAYS_VALID=1 PEBBLE_VA_NOSLEEP=1 go/bin/pebble &Export to DER format
openssl x509 -in test/certs/pebble.minica.pem -inform pem -out pebble.minica.der -outform derImport to a java truststore
keytool -importcert -alias pebble.minica \
-keystore wildfly-15.0.0.Alpha1-SNAPSHOT/standalone/configuration/truststore.jks \
-storepass admin123 -file pebble.minica.derIf JAVA_HOME is not set for root user, you can pass as parameter.
sudo JAVA_HOME=/opt/javavm ./standalone.sh -c standalone-full-ha.xml \
-Djboss.http.port=80 -Djboss.https.port=443 \
-b 10.10.10.11 -bmanagement 10.10.10.11 \
-Djavax.net.ssl.trustStore=../standalone/configuration/truststore.jks \
-Djavax.net.ssl.trustStorePassword=admin123This should be enough to work.
Add a key-store and certificate-authority-account to test it.
/subsystem=elytron/key-store=my_ks1:add(credential-reference={clear-text=admin123},type=jks,path=my_ks1.jks)
/subsystem=elytron/certificate-authority-account=caa_lets1:add(alias=caa_lets1,key-store=my_ks1)
Run obtain-certificate to test it and the outcome should be success
/subsystem=elytron/key-store=my_ks1:obtain-certificate(certificate-authority-account=caa_lets1,alias=my_new_cert2,domain-names=[www.foobar.com],agree-to-terms-of-service,staging)
{"outcome" => "success"}
You can display the certificate as:
/subsystem=elytron/key-store=my_ks1:read-alias(alias=my_new_cert2)