I appreciate the mission of Let's Encrypt and all the effort of community members but damn SSL should be easier!
I'm trying to secure a Keycloak server and I'm hitting walls everywhere I turn. Here's a quick overview of what's happened thus far and the problems I'm running into. Linux is not a familiar environment but I'd like it to be more so, so if anyone has any pointers explicitly spelled out I'd be very grateful:
- Installed CentOS 8 minimal version
- Did updates
- Installed Java 1.8.0 as Keycloak requires this and is based on WildFly/Jboss
- Installed Keycloak and did various config set up
- Keycloak is running
- Dutifully followed the instructions to install snapd - not sure why I wouldn't be able to use wget?
- Installed Certbot
- Tried getting a certificate using standalone and it said the challenge failed
- So, Keycloak runs on port 8080 and I believe Certbot is checking 80 by default
- I tried --preferred-challenges to have it check on port 443 (for other reasons) but it's rejecting tls-sni
- I honestly have no idea if this server is running apache, Nginx or something else, but it is a working Keycloak installation
- I do have a subdomain pointing to the server and would be willing (and in fact this might be preferable) to do some sort of DNS challenge but that involves installing some other package? This isn't clear to me either.
I tried all last night to get past these barriers, googling everything and still did not succeed. For experienced web server folks this might be a walk in the park but for newbies... I know I have more challenges coming my way with a pkcs12 conversion, but we'll cross that bridge when we get to it. If I can get this cert issued and get it in the /etc/letsencrypt folder, I might have enough examples to get the rest done.
So, could anyone help with simple instructions on how to do the challenge using DNS - that avoids all the port issues and would seem the simplest way forward. Thanks folks, I really appreciate it.