By Alx: February 2018
Secure Spring boot with lets' encrypt
Goal
In a previous article we saw how to enable https for spring boot rest service at that time we used a self-signed certifcate.The self-signed certifcate it is fine for dev and test purposes, if you want to deploy to prodiuction you need CA trusted certifcate
Let's Encrypt is the first free and open CA
Used technologies
This example is based on the previous Spring boot with httpslet`s Encrypt
git
//for cloning letsencrypt repository
Python 3.6
//Needed for letsencrypt
Ubuntu
// just for generating letsencrypt certificate, than running letsencrypt on windows is tricky
Generating letsencrypt certificate
1.1 Get certbot source
$ git clone https://github.com/certbot/certbot
$ cd certbot
1.2 Generate certificate
./certbot-auto certonly -a standalone -d wstutorial.com -d www.wstutorial.com
Now enter the recommended details (email address, Terms of Service, ..etc)
If you get something like that!
Problem binding to port 80: Could not bind to IPv4 or IPv6
We have to stop the server or application that uses this port
Problem binding to port 80: Could not bind to IPv4 or IPv6
We have to stop the server or application that uses this port
1.3 Converting PEM to PKCS12
Go to /etc/letsencrypt/live/wstutorial.com and run this command
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out springboot_letsencrypt.p12 -name bootalias -CAfile chain.pem -caname root
Enter and confirm a password, for simplicity we choose password99 equivalent to the previous example
Custom Spring Boot project
After copying the springboot_letsencrypt.p12 to src/main/resources/ssl/ we need now just only to change the keystore name:2.1 Custom application yml
server:
port: 8443
http.port: 8080
ssl:
key-store: src/main/resources/ssl/springboot_letsencrypt.p12
key-store-password: password99
keyStoreType: PKCS12
keyAlias: bootalias
Run the Main Application
mvn clean package
mvn spring-boot:run
Call the url
if you type https://localhost:8443 you will get SSL_ERROR_BAD_CERT_DOMAIN
Because the letsencrypt certificate is only valid for the following names: www.wstutorial.com, wstutorial.com and Not for localhost
Fix the bad domain Error
Just map the localhost ip address to the host name. On windows machine add this line to C:\Windows\System32\drivers\etc\hosts:
127.0.0.1 wstutorial.com www.wstutorial.com
Test the url again
Now type https://wstutorial.com:8443Et voila
