Develop Reference

Spring Boot - SSL setup (./well-known/pki-validation)

I am new to SSL setup, please excuse me if my question is wrong.
I have deployed a Spring Boot application on AWS EC2 (Windows) instance with bunch of restful services, exposed through public IP address (AWS), i am able to access them publicly(http). I want to SSL(https) them now. I am in process of purchasing certificate, in one of the steps to setup, they have given these lines to validate a text file, is anyone aware of this ? Can you please suggest where i need to create ./well-known/pki-validation folder on my Spring Boot application(Tomcat) ?
The issuing vendor will provide you with a simple text-based file to place in sub-folders /.well-known/pki-validation/ in your site’s "home directory". If done properly, the vendor can view this file via HTTP:// and then issue the certificate upon confirmation.

1 Install certboot in the server.
git clone https://github.com/certbot/certbot
cd certbot
./certbot-auto --help
2 Obtain the certificate
In order to obtain the certificate you need to expose trough the server certain files. I do that using the target folder of spring boot tomcat.
./certbot-auto certonly --webroot -w {SpringBootProjectDir}/target/classes/static/ -d {yourDomain.com}
This command obtains the certificates and leaves them in:
/etc/letsencrypt/live/{yourDomain.com}/
Tomcat can't read the certificate provided since its not in p12 format. We have to generate the cert in this format. Use this command
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/{yourDomain.com}/fullchain.pem -inkey /etc/letsencrypt/live/{yourDomain.com}/privkey.pem -out /etc/letsencrypt/live/{yourDomain.com}/keystore.p12 -name tomcat -CAfile /etc/letsencrypt/live/{yourDomain.com}/chain.pem -caname root
It will ask you a password. Keep the password.
3 Configure the server
server.port=443
server.ssl.enabled=true
server.ssl.key-store: /etc/letsencrypt/live/{yourDomain.com}/keystore.p12
server.ssl.key-store-password: {password}
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: tomcat
Restart the server and Thats it!

How to solve Geoserver Jetty "Module not found ssl" error?

My objective, is to configure the Jetty in such a way that it enables HTTPS request for Geoserver.
To be a bit specific, I am downloading the Geoserver Windows Installer.
As tested both version 2.9-RC1 and 2.10.2, they throw the warning
"Module not found [ssl]" as soon as it is started.
Jetty version: 9.2.13.v20150730
I am referring to the info here to try setup the simplest test (self-signed) for the jetty, but still no luck.
What I did:
Use Keytool create a self-signed keystore
Replace the keystore generated from 1) to directory etc/keystore
Edit the jetty-ssl.xml, replace the password (attribute default) with mine
Edit the file start.ini, add --module=https, jetty.secure.port=8443
Launch the batch file.
What did i miss?
P.S.: Geoserver works perfectly in HTTP. This post is asking about configuration for HTTPS.

Here are the steps to enable jetty to run geoserver on https, port:8443
• Configuring Jetty for SSL
follow this link to create ssl certificate and keystore. https://www.eclipse.org/jetty/documentation/9.1.5.v20140505/configuring-ssl.html
Now open jetty-ssl.xml file present in Geoserver/etc folder and replace the KeyStorePassword, KeyManagerPassword, TrustStorePassword with the new password which is created while creating keystore.
Open & check jetty.xml file in same folder, on which port https will run.
• Add new Keystore in Geoserver
Copy the created keystore file and replace with the existing available in etc folder of geoserver ex: C:\GeoServer\etc.
Now check if ssl.mod file is present in modules folder or not, ex: C:\GeoServer\modules.
If present, then open the file and replace the password in jetty.keystore.password, jetty.keymanager.password and jetty.truststore.password with the new password. Otherwise download it from “http://central.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.2.13.v20150730/jetty-distribution-9.2.13.v20150730.tar.gz.
NOTE : Please make sure password entered should be same as in jetty-ssl.xml.
Open start.ini file present in C:\GeoServer folder add --module =ssl, --module=https and jetty.secure.port=8443 (if https is running on Port 8443.
Run geoserver, enter url https://localhost:8443/geoserver (assuming geoserver on local system).

The https module has a dependency on the ssl module. The error is stating it cannot find ssl.mod in the ${jetty.home}/modules (or, depending on your config, ${jetty.base}/modules) directory.
The ssl module comes standard as part of the Jetty distribution so it has either been deleted, moved or renamed as part of your implementation.

For Geoserver 2.12.1, I manually installed "ssl.mod" from jetty-distribution-9.2.13.v20150730.tar.gz in Geoserver's etc/modules directory. Then the warning message didn't occur again in the log.

remember to add --module=ssl to start.ini
complete password and keystore/truststore location in jetty-ssl
port in jetty-https default 443
port in jetty xml can stay at default 8443
open ssl mod in a text editor and comment out the keystore under the [files] tag
ini-template tag --jetty secure port can stay at 8443
Comment out anything that refers to jetty keystore as these are set in jetty-ssl
open https mod and change https port to 443, restart geoserver.
Geoserver should now run over jetty https:// with no port number.

Runtime Mule SMTPs connector issue on AWS EC2 using SES

I’m trying to send an email on runtime Mule using an SMTPS connector running on a AWS EC2 Lynx machine to AWS SES but I keep getting a ‘Unable to connect to mail transport’ Mule exception.
I can Telnet from the EC2 machine to the AWS SES endpoint but cannot get EHLO to work, I may be doing something wrong there.
I can successfully send the email to AWS SES from my own PC running my app on Anypoint using the same SMTPS connector and the same AWS SES credentials so I know everything is good there.
I’m thinking there must be a difference between Anypoint and runtime Mule?
Here is my connector code, do I need to add a trust store for it to work on runtime?
<smtps:connector name="SMTPS" contentType="text/html" validateConnections="true" doc:name="SMTPS">
<smtps:tls-client />
<smtps:tls-trust-store />
</smtps:connector>
Here is the relevant part of the log
INFO org.mule.lifecycle.AbstractLifecycleManager - Initialising: 'SMTPS.dispatc her.1395684883'. Object is: SmtpMessageDispatcher
2016-11-08 16:30:25,149 [[feecalculator].HTTP_Listener_Configuration.worker.01] INFO org.mule.api.security.tls.TlsPropertiesMapper - Defaulting mule.email.smtp s trust store to client Key Store
2016-11-08 16:30:25,361 [[feecalculator].HTTP_Listener_Configuration.worker.01] INFO org.mule.api.security.tls.TlsProperties - Loading configuration file: tls- default.conf
2016-11-08 16:30:25,620 [[feecalculator].HTTP_Listener_Configuration.worker.01] ERROR org.mule.exception.CatchMessagingExceptionStrategy -
Message : Unable to connect to mail transport.
Element : /sendEmailFlow/processors/0/0/0 # feecalculator:sendEmai l.xml:22 (Prod SMTPS)
Exception stack is:
Unable to connect to mail transport. (org.mule.api.endpoint.EndpointException)
The difference on my local machine is 'tls-default.conf not found' :
INFO 2016-11-08 16:19:16,533 [[feecalculator].HTTP_Listener_Configuration.worker.08] org.mule.lifecycle.AbstractLifecycleManager: Initialising: 'SMTPS.dispatcher.1555978287'. Object is: SmtpMessageDispatcher
INFO 2016-11-08 16:19:16,539 [[feecalculator].HTTP_Listener_Configuration.worker.08] org.mule.api.security.tls.TlsPropertiesMapper: Defaulting mule.email.smtps trust store to client Key Store
WARN 2016-11-08 16:19:16,574 [[feecalculator].HTTP_Listener_Configuration.worker.08] org.mule.api.security.tls.TlsProperties: File tls-default.conf not found, using default configuration.
INFO 2016-11-08 16:19:20,100 [[feecalculator].HTTP_Listener_Configuration.worker.08] org.mule.lifecycle.AbstractLifecycleManager: Starting: 'SMTPS.dispatcher.1555978287'. Object is: SmtpMessageDispatcher

Solved:
On my development machine Anypoint defaults to the JRE 1.8 installed ‘cacerts’ trust store in the ‘security’ folder which contains a trust for AWS SES whereas the AWS EC2 Lynx openJDK 1.8 either does not have a trust installed or Mule CE does not default to the installed trust store, I’m not sure which. This explains why my development machine could send an mail via SES but the production system could not.
The solution is to use openssl to create a trust store file for the SES domain certificate and specify the trust file in the SMTPS connector (smtps:tls-trust-store). If a file path is not specified, the trust file needs to be added to the Mule project src/main/resources folder for the project domain or project application when no project domain exists.
This issue is further complicated by a difference between Anypoint and Mule CE, Anypoint requires SES endpoint declarations that contain ‘special characters’ to be double escaped where as Mule CE does not.

Configure Spring Boot to Prevent Logjam Attack

Firefox v39 will no longer connect to my web application over HTTPS. I'm using Spring Boot with embedded Tomcat and I've made sure I'm using the latest version of Boot (v1.2.5). Firefox shows the following error message:
Secure Connection Failed
An error occurred during a connection to [website]. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
I understand this is to protect against a known vulnerability called Logjam. A solution for Tomcat is provided at weakdh.org.
Spring Boot passes SSL configuration to Tomcat via application.properties and as such I have added server.ssl.ciphers to my application.properties as follows:
server.port=443
server.ssl.key-store=/home/ec2-user/boot.p12
server.ssl.key-store-password=...
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=...
server.ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA
After restarting boot, I notice the following in my log file:
WARN 2674 [main] --- o.a.t.util.net.jsse.JSSESocketFactory : None of the ciphers specified are supported by the SSL engine : TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, ...
Additionally, connecting using Firefox fails with the following message:
Secure Connection Failed
The connection to [website] was interrupted while the page was loading.
And I see the following in my log file:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
Unfortunately I'm no encryption expert. Can anyone suggest how to fix this? Do I need to recreate my HTTPS certificate?

The solution was to upgrade server Java on the server from 1.7 to 1.8.
sudo yum remove java-1.7.0-openjdk
sudo yum install java-1.8.0
After this was complete, no other configuration was necessary. Not even modyfing Tomcat as per the advice at weakdh.org.

HTTPS connection is not working [Spring Boot]

I am setting up a HTTPS server using Spring boot. I followed the Configure SSL on Spring Boot Docs.
My application.properties file is as follows.
# SSL
server.port = 8443
server.ssl.key-store = classpath:keystore.jks
server.ssl.key-store-password = rootroot
But when I access https://localhost:8443 . The server returns no response and server is temporarily down.
Can you guide me what is going wrong?

Finally, I found the answer. I was using the keystore.jks generated from another machine instead of generating in server machine.
Now I solved the problem by using the keystore generated by keytool on server machine and everything went well.
Anyway, thank you for your answers.

Your information did not work for me, then I've did some researches and now it's working after I followed the below steps:
openssl pkcs12 -export -in <mycert.crt> -inkey <mykey.key> -out <mycert.p12> -name tomcat -CAfile <myca.ca> -caname root -chain
(I ran the above command to generate a pkcs12 in my digitalcert, which the only file that does not exists yet is the mycert.p12)
After that I've copied the mycert.p12 to src/main/resources
And finally this is my application.properties file configuration:
server.context-path=/cv2
server.port=8880
server.ssl.key-store=classpath:java_admin_checkverification_com.p12
And now everything is working like a charm!
PS: The configuration server.ssl.key-store was not working for me when I was at the version 1.2.4, because it was not finding the file in the classpath at all... Always throwing FileNotFoundException, so I updated to 1.3.5, with the above configurations and now everything is working.

I've had the same problem and adding the key-store-type fixed it:
server.ssl.key-store-type: JKS

"Tomcat requires the key store (and trust store if you’re using one) to be directly accessible on the filesystem, i.e. it cannot be read from within a jar file. This limitation doesn’t apply to Jetty and Undertow."
by default tomcat is used

If someone has same issue -
my settings are
server.port=8443
server.ssl.key-store=classpath:certs/localhost.keystore
server.ssl.key-store-password=somepass
server.ssl.key-password=somepass
I had a problem with my request - Ive been sending request to 127.0.0.1:8443, but my certificate had name localhost! I fixed request to localhost:8443 and all went right.

Reinstalling my cert with certbot fixed it for me. Just ran certbot and 1: Attempt to reinstall this existing certificate. I already had my config setup like the other answers. I'm not sure how this fixed it, but I figure I'd leave this answer here. I'm using Nginx.