Let’s Encrypt a Spring Boot Application

As we prepare our product, Wise Accounting for public consumption, we are also using it in the Cloud now. And, before we could safely host this Spring Boot application, we needed for our communications to be using HTTPS. The base architecture for our application is JHipster. We configured the scaffolding of our application to be a monolithic web application using Spring REST controllers (API) and Angular 1.x for API consumption, UI presentation, and user interaction. Currently, we’re hosting the Spring Boot (executable WAR) on a Debian 8 x64 VM with a MySQL Community database. The web container within the application is Tomcat. And, Tomcat needs to be hosted with an SSL certificate.

Free certificates are available from https://letsencrypt.org¬†as long as you update or renew these certificates every 3 months. When hosting a web server such as Apache, you can easily add a certificate with the certbot client from letsencrypt. Tomcat is a little more complicated. I’m going to describe the process of hosting our Spring Boot/JHipster application beginning with the installation of the certbot client from letsencrypt.org.

The certbot client was not part of the original Debian 8 packages. But, it can be installed if we tell our system where to find it. Do this by adding the information needed for Debian’s apt-get to obtain the client from jessie-backports.

Now we can update and then install certbot.

If your server has iptable rules in place, you will want to flush them before you create certificates. The certbot client will call out to a dummy website to create certificate artifacts. After the certificate is in place, you should DROP all traffic incoming on any unused ports.

Certbot will create the certificate artifacts in the PEM format. Tomcat requires a PKCS12 format for SSL. We’ll first create the certificate artifacts using certbot and then use OpenSSL to create a keystore.p12 for Tomcat.

This command created the certificate artifacts we need in /etc/letencrypt/live/yourdomain.com/ . Now let’s call upon the artifacts and create a keystore for Tomcat.

You will be asked to provide a password during the creation of the keystore. Write it down because you’ll need to add it to your JHipster/Spring Boot production YAML configuration. Before you can use the keystore with your application, you’ll need to add a server configuration to the JHipster production YAML config. Here’s my example.

Don’t forget to secure your firewall. Just start your application with java -jar your-application.war and then type this into your Google Chrome browser. Test that the application is using HTTPS. You can setup a Spring Boot application as a system service but that’s for another post.

You should get your application’s landing page and see the little lock and the word Secure just to the left of your URL in the browser. Please comment if this doesn’t work for you. Just remember we’re running a JHipster/Spring Boot monolith on a Debian 8 (Jessie) VM.

Leave a Reply

Wow, 4,983 people read this.