i have a published spring boot app (http) and i want to secure it with HTTPS..
there are many tutorials on how to create a letsencrypt certificate and import it into the /resources folder of the spring boot app, to make the certificate work.
the letsencrypt certificate is only valid for three months.. and i would have to import the certificate and restart my spring boot application every time..
of course, certbot can automatically renew the letsencrypt certificate, but…
is there a way to do this task automatically (import and restart)?
are there any alternative ways to do this (without importing and restarting)?
I have configured my trustsore and keystore information in the external tomcat's server.xml in the Connector tag. The certificates are stored in the tomcat's /base/lib directory.
I need to deploy a spring boot application to this external tomcat.
How can I make the information about trustsore and keystore available to the spring boot application?
Where in the spring boot application do I need to store the trsustore and keystore .jks files?
I did the same with the datasource in Resource tag in server.xml, and in spring boot application I used
spring.datasource.jndi-name=some name to jndi. How can I configure the same for trsustore and keystore?
The keystore and truststore in Tomcat's <Connector> have a single purpose:
the keystore contains the certificate (and private key) used by the server's SSL port,
the truststore contains the list of CAs, which are trusted if mutual SSL authentication is enabled.
Therefore these settings are specific to each deployment of your application. You shouldn't provide them yourself.
You should only provide system administrators a way to configure those settings. In your case Spring Boot already takes care of it (cf. server.ssl properties).
See also:
What is the difference between javax.net.ssl.keyStore and server.ssl.key-store properties when specifying keystore for a SpringBoot app
I'm learning about using SSL Certificates with Spring Boot. Specially using Let's Encrypt ones.
They have the limitation of being expired after 3 months, so they should be renewed and as far as I know, when renewing the certificate we need to restart the Spring Boot app in order to make it load the new one instead.
Some time ago, I was playing around with Eureka and Zuul Gateway, to develop microservices... And I recall I also set a git repo to be used as a Spring Cloud Config. I do not remember well, I think we can use Spring Cloud Config without using the microservice arch.
So my question is: Can we use this Spring Cloud Config mechanism that reload properties to reload the SSL Certificate? The idea would be to trigger the properties reloading mechanism, and as the ssl is configured via those properties, I think maybe it can be reloaded.
I'm planning on automating the process of getting and renewing the Let's Encrypt certificate and avoid the downtime on my app.
Best regards!
SSL certs are applied at the JVM level - neither Spring Boot nor Spring Cloud Config has any control over this, and so to apply a new cert would require a restart of the JVM instance your app runs in, because you've updated your keystore. Being able to dynamically add certs without shutting down the JVM would be a major security flaw.
In the AWS ecosystem, the idea is that if you ever shut down your VM, you lose that VM, and the contents on it are gone forever. With Spring Cloud (Config, Zuul, Eureka) you can spin up VMs that get registered with Eureka via Config, and Zuul uses the info in Eureka to do the load balancing. So, the way it should be done is you spin up another VM with your Spring Boot instance with the updated cert, and kill off the older VM which evaporates thanks to AWS, and Zuul takes care of the dirty work of being a "reverse web proxy", routing the requests to the new web server as required.
The can of worms you open going this route is that now you have to implement 4 servers and a VPN to support them, your Zuul server becomes the target of external web requests, and you might need to look into the "circuit breaker" pattern on how to handle HTTP request failures - Hystrix is the next thing to look into.
With Digital Ocean, I'm not sure what you might have to do differently, but a JVM restart is unavoidable.
Actually, it depends. Certificates are applied on SSLContext level and SSLContext can be refreshed during runtime. It is completely possible to update the certificate in KeyStore and refresh the SSLContext, moreover, Tomcat has a special helper function reloadSslHostConfigs that helps you to do that.
So what you ask is completely doable:
Spring Cloud triggers certificate update event notification or via polling
Your application loads updated certificate either from Spring-Cloud or from some shared storage
Your application issues reloadSslHostConfigs, so that Tomcat updates its SSLContext
For implementation details of the certificate reloading, you can take a look at the letsencrypt-helper library. It allows generating and keeping-up fresh your LetsEncrypt certificate without JVM restart.
I have two different spring boot application with SSL enabled in it and also there is an eureka discovery server and these two applications are linked to eureka server.I need to make some https call between these two SSL enabled applications. So I decided to go ahead with feign client .Eureka is able to resolve https url properly for feign client. But while making the call I'm getting "unable to find valid certification path to requested target". I can understand this error is because public key of my client application is not present in truststore of the application from which I'm making feign call. I have already added the public key in my custom truststore, But it is of no use.Property file for the same is below
server.ssl.enabled=true
server.ssl.key-store=classpath:springboot.p12
server.ssl.key-store-password= Pass#123
server.ssl.keyStoreType= PKCS12
server.ssl.keyAlias= springboot
server.ssl.trust-store=classpath:springboot.jks
server.ssl.trust-store-password=Pass#123
eureka.instance.nonSecurePortEnabled=false
eureka.instance.securePortEnabled=true
After digging more into the issue I found that "server.ssl.trust-store" property will set truststore in the embeded tomcat server of spring boot application, But some have my https call is taking default JDK truststore. When I added system properties in my application then everything is working fine. But with spring boot properties file configuration it is not working .
System.setProperty("javax.net.ssl.trustStore", trustStorePath);
System.setProperty("javax.net.ssl.trustStorePassword",trustStorePassword);
I feel setting system properties is an workaround and I'm looking for a better solution .
I even tried enabling ribbon client and added "ribbon.IsSecure=true" property also. But still getting the same issue.
Can someone please provide a suggestion for the same.
Thank you
I am creating a Spring Boot integration with Tomcat for Soap WebService application
We are calling other Soap WebServices inside it, which are running in https protocol.
Could you please help me how to config SSL for external servers?
First of all, if these external servers have their own legal trusted certificates, you don't need to do anything.
But if not and you trust these external servers, you can skip certificates verification for those servers as How to fix the “java.security.cert.CertificateException: No subject alternative names present” error?.
Or just skip specific host as SSLHandshakeException: No subject alternative names present.
Wish it could help.