spring boot : automatic renew of letsencrypt certificate - spring

i have a published spring boot app (http) and i want to secure it with HTTPS..
there are many tutorials on how to create a letsencrypt certificate and import it into the /resources folder of the spring boot app, to make the certificate work.
the letsencrypt certificate is only valid for three months.. and i would have to import the certificate and restart my spring boot application every time..
of course, certbot can automatically renew the letsencrypt certificate, but…
is there a way to do this task automatically (import and restart)?
are there any alternative ways to do this (without importing and restarting)?

Related

Use valid SSL certificate with spring boot

I have CA trusted SSL certificate in the format of .p7b, .crt, .ca-bundle and also private key file .crt.
I want to run spring boot web service application over https. It is showing "Your connection is not private" error on the browser.
I tried to import .p7b and .crt file into .jks but since I do not know the correct alias and password, it is throwing keytool error: java.lang.Exception: Input not an X.509 certificate exception.
Please give a solution to use these valid certificate with spring boot application.
Provide format of application-https.properties.

Defining trust-store and key-store information in spring boot application with external tomcat

I have configured my trustsore and keystore information in the external tomcat's server.xml in the Connector tag. The certificates are stored in the tomcat's /base/lib directory.
I need to deploy a spring boot application to this external tomcat.
How can I make the information about trustsore and keystore available to the spring boot application?
Where in the spring boot application do I need to store the trsustore and keystore .jks files?
I did the same with the datasource in Resource tag in server.xml, and in spring boot application I used
spring.datasource.jndi-name=some name to jndi. How can I configure the same for trsustore and keystore?
The keystore and truststore in Tomcat's <Connector> have a single purpose:
the keystore contains the certificate (and private key) used by the server's SSL port,
the truststore contains the list of CAs, which are trusted if mutual SSL authentication is enabled.
Therefore these settings are specific to each deployment of your application. You shouldn't provide them yourself.
You should only provide system administrators a way to configure those settings. In your case Spring Boot already takes care of it (cf. server.ssl properties).
See also:
What is the difference between javax.net.ssl.keyStore and server.ssl.key-store properties when specifying keystore for a SpringBoot app

Ssl connection between gcp load balancer and springboot application

Currently, I have my web application running on compute engine via a spring boot application. My website is ssl protected and it connects to my gcp load balancer. However, the connection between the load balancer and my spring boot application is http. How can I make this https as well? What are details that I need to provide. My application is deployed on a gcp compute vm.
Here are the steps I have followed :-
Generate a Self Signed cert (PKCS12 format) assuming you in development and testing phase else in PROD you will need a CA Signed or similar cert
Generate Key using your P12 cert and store it in to Key Store
Make your boot app enabled by setting the following properties
server.ssl.enabled=true
# The path to the keystore containing the certificate
server.ssl.key-store=classpath:keystore/yourCertificate.p12
# The password used to generate the certificate
server.ssl.key-store-password=password
# The alias mapped to the certificate
server.ssl.key-alias=yourAlias
# The format used for the keystore.
server.ssl.key-store-type=PKCS12
These steps will help you make your Boot app HTTPS enabled.

TrustStore configuration issue in Spring feign with SSL enabled

I have two different spring boot application with SSL enabled in it and also there is an eureka discovery server and these two applications are linked to eureka server.I need to make some https call between these two SSL enabled applications. So I decided to go ahead with feign client .Eureka is able to resolve https url properly for feign client. But while making the call I'm getting "unable to find valid certification path to requested target". I can understand this error is because public key of my client application is not present in truststore of the application from which I'm making feign call. I have already added the public key in my custom truststore, But it is of no use.Property file for the same is below
server.ssl.enabled=true
server.ssl.key-store=classpath:springboot.p12
server.ssl.key-store-password= Pass#123
server.ssl.keyStoreType= PKCS12
server.ssl.keyAlias= springboot
server.ssl.trust-store=classpath:springboot.jks
server.ssl.trust-store-password=Pass#123
eureka.instance.nonSecurePortEnabled=false
eureka.instance.securePortEnabled=true
After digging more into the issue I found that "server.ssl.trust-store" property will set truststore in the embeded tomcat server of spring boot application, But some have my https call is taking default JDK truststore. When I added system properties in my application then everything is working fine. But with spring boot properties file configuration it is not working .
System.setProperty("javax.net.ssl.trustStore", trustStorePath);
System.setProperty("javax.net.ssl.trustStorePassword",trustStorePassword);
I feel setting system properties is an workaround and I'm looking for a better solution .
I even tried enabling ribbon client and added "ribbon.IsSecure=true" property also. But still getting the same issue.
Can someone please provide a suggestion for the same.
Thank you

Multiple ssl certificates for different domaines in Spring boot or tomcat

I have one server with two domain names. Currently I use only one self signed certificate with such configuration in application.properties:
server.port=8443
server.ssl.key-store=keystore.p12
server.ssl.key-store-password=changeit
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=tomcat
I like to make register normally signed certificates for future using. But I don't understand how I may configure spring-boot or tomcat for that... There is a think to use TomcatEmbeddedServletContainerFactory but will it working? If someone have such practice please help.
Finally I configure Apache for two domaines with different certificates and make ProxyPass to spring-boot. Now it is working as I wanted.

Resources