Serving Spring Boot HTTPS

How to put together Spring Boot 2, Nginx and Let's encrypt

This quick tutorial is assuming you already have a working installation of Let's Encrypt certificates in your site. We will go through the configuration of Nginx and your Spring Boot 2 application. If you need help to get the certificates working you can follow this guide or in Let's Encrypt documentation

Certificates

The first step will be to export your let's encrypt certificate to a suitable format and location.

Spring Boot expects PKCS12. We need to create a keystore. Doing that you will be asked to provide a password. This password needs to be provided to your Spring application as well (Find a secure way to do it. We are using application properties in this example for simplicity). The value under -name will be the alias of this key in the keystore.

So let's go hands on...

Go to the folder were you store your let's encrypt keys. By default it would be:

cd /etc/letsencrypt/live/mydomain.com

And export your key into a keystore:

openssl pkcs12 -export -in fullchain.pem \
-inkey privkey.pem \
-out keystore.p12
-name mydomainkeyalias \
-CAfile chain.pem \
-caname root

If you want to automate this process so it gets automatically updated when the certificates get renewed, you will need to include the password.

openssl pkcs12 -export -in fullchain.pem
-inkey privkey.pem
-out keystore.p12
-passout pass:keystorepassword
-name mydomainkeyalias
-CAfile chain.pem
-caname root

And that is all you need to start coding your application.

Spring Boot application

In Spring Boot 2, you will need to configure your application properties to load your keystore. As I said before, for this example we will be loading the keystore password from the application properties as well. It would obviously be a better option to avoid storing this passowrd in your repo, and load it from a configuration service or so.

This properties and the attached configuration would catter for serving both HTTTP and HTTPS.

January 2020