Spring Boot Secured By Let's Encrypt

Datetime:2016-08-22 23:34:43          Topic:          Share

In this article, we want to know how we can (1) generate a valid certificate for free; (2) configure a Spring Boot app with it; and lastly (3) how to renew it when it expires.

In my previous blog post , we became familiar with configuration of an Spring Boot Application with a self-signed certificate. Self-signed certificates are good for specific purposes such as test and development. But, if one needs to ship his application to production, certificates should be signed by known and eligible Certificate Authorities (CA).

These types of certificates are usually expensive. If you want to harden your application with TLS, you need to purchase one of them. The price and complex configuration of application servers made a barrier for many web applications to use secure connections.

In the post-Snowden era , no one needs to convince us that having secure connection using HTTPS is a must. There are lots of efforts to increase awareness of developers and IT administrators to employ such technologies for every single website they make. But how?

Let's Encrypt projects aims at bringing HTTPS to World Wide Web not only for free but also with the simplest way of configuration.

In this article, we cover:

  • Issuing a certificate and Spring Boot intergration

    1. How to generate certificates with Let's Encrypt?

    2. How to generate PCKS#12 files from PEM files?

    3. Configuration of your Spring Boot application

  • Renewing an (about-to) expired certificate

    1. Renewal process

    2. Preparation for Spring Boot

How to Generate Certificates With Let's Encrypt

Let's Encrypt has several plugins for some application servers such as Apache and Nginx. In this section, as our target is Spring Boot Application (with an embedded Jetty/Tomcat), we just generate the certificates and later on integrate with our application.

If you're using a firewall or any other security mechanism at your server or Cloud provider, you should relax it for a couple of minutes - specially port 80 and port 443.

Port 80 should be open and free to use as Let's Encrypt runs a small http server behind the scene to prove whether you control your domain address ( ACME protocol ).

  1. You need to fetch the source code of Let's Encrypt  on your server which your domain address is pointing to. This step may take a couple minutes.
    $ git clone https://github.com/certbot/certbot 
    $ cd certbot
    $ ./certbot-auto --help
    Remark:  Python 2.7.8 (or above) should be installed beforehand.
  2. By executing following command in your terminal, Let's Encrypt generates certificates and a private key for you.
    $ ./certbot-auto certonly -a standalone \
         -d seeld.eu -d www.seeld.eu
    Keys are generated in  /etc/letsencrypt/live/seeld.eu .  Remark: 'certonly' - means that this command does not come with any special plugin like Apache or Nginx. 'standalone' -  means that Let's encrypt will automatically create a simple web server on port 80 to prove you control the domain.

How to Generate PKCS12 Files From PEM Files

Certificates and private keys are generated in 2 steps for free which shows the simplicity of Let's Encrypt. All of these generated materials are with PEM extension which is not supported in Spring Boot. Spring-Boot does not support PEM files generated by Let’s Encrypt. Spring Boot supports PKCS12 extension. Using OpenSSL, we convert our certificate and private key to PKCS12.

To convert the PEM files to PKCS12 version:

  1. Go to /etc/letsencrypt/live/seeld.eu
  2. We convert the keys to PKCS12 using OpenSSL in the terminal as follows.
    $ openssl pkcs12 -export -in fullchain.pem \ 
                     -inkey privkey.pem \ 
                     -out keystore.p12 
                     -name tomcat \
                     -CAfile chain.pem \
                     -caname root

The file 'keystore.p12' with PKCS12 is now generated in '/etc/letsencrypt/live/seeld.eu'.

Configuration of Your Spring Boot Application

Now we want to configure our Spring Boot application to benefit from the certificate and the private key; and eventually have the HTTPS thingy ready. At this moment, we already generated our certificate and private key. Then we converted the keys to PKCS12 extension which is ready to be used for a Spring application.

  1. Open your 'application.properties'
  2. Put this configuration there.
    server.port: 8443
    security.require-ssl=true
    server.ssl.key-store:/etc/letsencrypt/live/seeld.eu/keystore.p12
    server.ssl.key-store-password: <your-password>
    server.ssl.keyStoreType: PKCS12
    server.ssl.keyAlias: tomcat
    Remark 'require - ssl' - means that your server only processes HTTPS-protected requests.

If you visit https://seeld.eu:8443 , you can see that HTTPS is successfully configured and most importantly working. For the sake of our project, we did some additional steps to have HTTPS working with port 80, you can browse it with the  https://seeld.eu URL.

Renewal Process

Let's Encrypt certificates are only valid for 90 days . Some may say 3 months is too short comparing to validity period of certificates offered by other providers. They have two motivations for this strict decision: (1) limiting damage from key compromise or mis-issuance; (2) encouraging automation. So let's get started!

  1. Open your Let's Encrypt client directory, I mean the certbot. Remarks: On the same machine that certificates and keys are located. Please read all of the remarks from sections, such as having python installed, having port 80 open, etc.
  2. Run the renew command as follows.
    $ sudo ./certbot-auto renew
    This command checks the expiry date of certificates located in this machine (managed by Let's Encrypt), and renew the ones that are either expired or about to expire.

We have new certificates, as simple as that!

As discussed in the section: Spring-Boot does not support PEM files generated by Let’s Encrypt. Spring Boot supports PKCS12 extension. Using OpenSSL, we convert our certificate and private key to PKCS12.

Preparation for Spring Boot

Let's create a PKCS#12 key store!

  1. Go to /etc/letsencrypt/live/seeld.eu
  2. We convert the keys to PKCS12 using OpenSSL in the terminal as follows.
    $ openssl pkcs12 -export -in fullchain.pem \ 
                     -inkey privkey.pem \ 
                     -out keystore.p12 
                     -name tomcat \
                     -CAfile chain.pem \
                     -caname root

The file ‘ keystore.p12 ’ with PKCS12 is now generated in ‘/etc/letsencrypt/live/seeld.eu’.

But wait!

I assume the machine that you're woking on is the one with running Spring Boot. It means that we're not done yet! The previous ‘ keystore.p12 ’ is still in the memory, meaning that you need to restart your application! 

It's not always viable to simply restart a running application. There might be other ways to update it without restarting but it's not in the scope of this post.

The Take-Home Message

In this post, we saw how to issuerenew a Let's Encrypt certificate, and most importantly, integrate it with Spring Boot . If you really don't unnecessarily play with configurations, it takes less than 5 minutes to have all things ready.

The main takeaway message for me is that Let's Encrypt makes (re-)issuing certificates incredibly faster, easier, and cheaper for everyone, no matter how many services you manage! You should start having HTTPS as soon as possible.