Help setting up SSL with Spring Boot

I have a Spring Boot app deployed on a Debian server. Spring Boot has an embedded Tomcat, but I’ve always deployed to a separate Tomcat instance. For technical reasons, I now have to use the embedded instance which, I’m told, makes configuration more difficult.

I used certbot to generate my .pem files so I don’t think I have to worry about renewal every 90 days. However, Tomcat requires that the .pem files be converted to .jks. I assume that while the .pem files are automatically renewed, any .jks files generated from those files will become invalid after 90 days.

I always installed Apache to handle SSL and do redirects to Tomcat. I only recently discovered that SSL can be configured within Spring Boot. I assume that negates the need to install Apache. I would like to try that approach, but it’s difficult to find how-to documentation.

In order to keep configuration as simple as possible, my first thought was to just install Apache, handle the SSL there, and redirect traffic to Tomcat on 8080. As I recall, that’s what I’ve done in the past. Though I’d like to start doing things the Spring Boot way. Presumably, there’s not need to install Apache or Tomcat with Spring Boot apps.

I assume I need to modify the script that does the auto renewal and make it also generate .jks files. As for configuring SSL with Spring Boot, unless someone on here has done it, it’s going to be a lot of trial and error. Thanks in advance.

I’m of the opinion that none of the Java application servers or servlet containers implement SSL in a way that works practically with automated SSL management. Too many complications come about as a result.

It is possible to do automated renewal with a Certbot --deploy-hook which updates the keystore and also invokes an exposed JMX endpoint to cause the SSL context to reload (see this presentation). I guess your challenge would be getting Spring Boot to expose the required JMX bean, but it should probably be possible via an application.properties change.

I have tried it and have gone back to using a reverse proxy, because inevitably, some need always comes up that requires the flexibility to apply a webserver-level change without going through a rebuild and redeploy. You’d be crazy not to, and that doesn’t only apply to Java backends.

Thanks for your input. I decided to just use Apache. Though I’ve read that Nginx is much faster than Apache. However, it’s too easy to just go with what you’ve always used in the past rather than something you’ve never used.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.