By Alx: February 2018

Secure Spring boot with lets' encrypt


In a previous article we saw how to enable https for spring boot rest service at that time we used a self-signed certifcate.
The self-signed certifcate it is fine for dev and test purposes, if you want to deploy to prodiuction you need CA trusted certifcate
Let's Encrypt is the first free and open CA

Used technologies

This example is based on the previous Spring boot with https
let`s Encrypt
git //for cloning letsencrypt repository
Python 3.6 //Needed for letsencrypt
Ubuntu // just for generating letsencrypt certificate, than running letsencrypt on windows is tricky

Generating letsencrypt certificate

1.1 Get certbot source

$ git clone 
$ cd certbot

1.2 Generate certificate

./certbot-auto certonly -a standalone -d -d
Now enter the recommended details (email address, Terms of Service, ..etc)

If you get something like that!
Problem binding to port 80: Could not bind to IPv4 or IPv6
We have to stop the server or application that uses this port

1.3 Converting PEM to PKCS12

Go to /etc/letsencrypt/live/ and run this command
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out springboot_letsencrypt.p12 -name bootalias -CAfile chain.pem -caname root
Enter and confirm a password, for simplicity we choose password99 equivalent to the previous example

Custom Spring Boot project

After copying the springboot_letsencrypt.p12 to src/main/resources/ssl/ we need now just only to change the keystore name:

2.1 Custom application yml

  port: 8443
  http.port: 8080
    key-store: src/main/resources/ssl/springboot_letsencrypt.p12 
    key-store-password: password99
    keyStoreType: PKCS12
    keyAlias: bootalias

Run the Main Application

mvn clean package
mvn spring-boot:run

Call the url

if you type https://localhost:8443 you will get

Because the letsencrypt certificate is only valid for the following names:, and Not for localhost

Fix the bad domain Error

Just map the localhost ip address to the host name. On windows machine add this line to C:\Windows\System32\drivers\etc\hosts:

Test the url again

Now type
Et voila