Suggestions for the documentation

[talcher]

Hello the EJBCA team,

I am afraid a point is missing in the Enable HTTP Strict Transport Layer Security of the documentation.
Though the filter is properly defined, it is not set up. That can be done with this additional command:
/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=undertow/server=default-server/host=default-host/filter-ref=hsts:add()'

My other point deals with Configure WildFly as a Service.
If I follow the documentation with PIDFile=/var/run/wildfly/wildfly.pid in the /opt/wildfly/docs/contrib/scripts/systemd/wildfly.service file, I get this log:

/etc/systemd/system/wildfly.service:11: PIDFile= references a path below legacy directory /var/run/, updating /var/run/wildfly/wildfly.pid → /run/wildfly/wildfly.pid; please update the unit file accordingly.

If I update the /opt/wildfly/docs/contrib/scripts/systemd/wildfly.service file as suggested - so PIDFile=/run/wildfly/wildfly.pid -, there is not any warning anymore.

I must confess I do not know precisely why you are using the PIDFile, especially given the documentation:

Takes a path referring to the PID file of the service. Usage of this option is recommended for services where Type= is set to forking. The path specified typically points to a file below /run/. If a relative path is specified it is hence prefixed with /run/. The service manager will read the PID of the main process of the service from this file after start-up of the service. The service manager will not write to the file configured here, although it will remove the file after the service has shut down if it still exists. The PID file does not need to be owned by a privileged user, but if it is owned by an unprivileged user additional safety restrictions are enforced: the file may not be a symlink to a file owned by a different user (neither directly nor indirectly), and the PID file must refer to a process already belonging to the service.

Note that PID files should be avoided in modern projects. Use Type=notify, Type=notify-reload or Type=simple where possible, which does not require use of PID files to determine the main process of a service and avoids needless forking.

The emphasis is mine.

Let me know what you think about that!
Have a nice day,

talcher

[svenska-primekey]

What OS are you using that you are seeing this error? I don't recall seeing this error on my Alma 8 install, but I also haven't checked the OS logs since EJBCA is working.

I will update the EJBCA documentation with your share for the HSTS to start with. Thanks for the contribution.

[talcher]

I forgot this point: EJBCA is running on a Debian 11 server.

[svenska-primekey]

I added a note to the EJBCA 8.3 docs that will let users know to use the PIDFile=/run/wildfly/wildfly.pid path for Debian >= 11. Thanks for sharing the feedback.

[talcher]

The pleasure is all mine.

[jpertuz-19]

A recommendation on the installation guide: At this point: https://doc.primekey.com/ejbca/ejbca-installation/application-servers/wildfly-26#WildFly26-ConfigureOCSPLogging

You should pause and continue with the EJBCA deploy (runinstall)

and the deploy keystore

And finally continue with https://doc.primekey.com/ejbca/ejbca-installation/application-servers/wildfly-26#WildFly26-HTTP(S)Configuration

[primetomas]

You can typically do all the WildFly configuration before install and deploying keystores. It will should configure with missing keystores and pick them up when they are put there.
It was kind of deliberate to not have to jump between different parts of documentation.