SSL Certificate inclusion in spring boot application with embedded server

Help
1

Problem Statement: After adding certificate to the required directory and entering detail in our application.properties file, Application failed to start due to the errors specified in the attached log file.(SSL)log.txt (5.1 KB)

My domain is: demo.azure.com

I ran this command: certbot certonly --standalone

It produced this output: Requesting certificate for demo.azure.com

My web server is (include version): Not Applicable

The operating system my web server runs on is (include version): Windows server 2016

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.19.0

2

Based on the Java exception

[...]
Caused by: java.io.IOException: parseAlgParameters failed: ObjectIdentifier() -- data isn't an object ID (tag = 48)
	at sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:792)
	at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1998)
	at java.security.KeyStore.load(KeyStore.java:1445)
	at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:178)
	at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:204)
	at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:203)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
	... 20 common frames omitted
[...]

I would guess that the keystore (supplied by you? How have you confgured this?) is broken.

1 Like
3

Hi Nummer378, Thanks for the Interest. For your Information I have generated the certificate for the certbot using command certbot certonly --standalone and after we have converted the certificate from PEM to PKCS12 format.
After that we have copied the certificate to main/src/resources/certificate.p12 and then entered the required configuration to our application.properties file with the following commands.

server.port: 8443
security.require-ssl=true
server.ssl.key-store:classpath:certificate.p12
server.ssl.key-store-password:
server.ssl.keyStoreType: PKCS12

After all, we tried to launch our application, and it throws these exceptions.

1 Like
4

When you created your p12 file (same as PFX) how exactly are you doing it? Java may need the Triple DES algorithm rather than AES but it will depend what version of java you are using.

For current versions of Tomcat, https://certifytheweb.com also has a built in tomcat export deployment task: Apache Tomcat | Certify The Web Docs - other clients may be able to do the same.

5

Is it?
[doubtful]

As @webprofusion mentioned, there may be different ways to do this step.
And you may have omitted a required password (who knows? - we sure don't).

Have you ever had these exact set of steps work before?
If so, then what has changed since then?
If not, then where did you get the instructions? (and did you follow them all as directed?)

6

Hi @webprofusion, we have converted our certificate from PEM to PKCS12 by an open source tool named as openssl by using the command.

openssl pkcs12 -export -in C:\Certbot\live\demo.azure.com\fullchain.pem -inkey C:\Certbot\live\demo.azure.com\privkey.pem -out C:\Certbot\live\demo.azure.com\certificate.p12 -CAfile C:\Certbot\live\demo.azure.com\chain.pem -caname root

and currently we are using java version "1.8.0_91".

7

Hi @rg305, demo.azure.com url is just for this post only and we are sure that we have included the password at the time of certificate generation.
These exact set of steps we haven't implemented before, so for now we looked on web for the configuration of ssl certificate with the spring boot application.

followed the exact steps as they are given on above website.

8

You should use "redacted.domain" or "fake.domain_name" or something that actually makes that obvious.
demo.azure.com is from a real domain (that belongs to Microsoft).

9

These steps seems a little bit different that what you've executed:
image
image

Note: There is a "\" missing in their instructions at the end of the first line #3

Differences are:
-name tomcat [missing line]
C:\Certbot\live\demo.azure.com\ [missing path for P12 file]
server.ssl.keyAlias: tomcat [missing line]

1 Like
10

Commonly the domains example.com and equivalent TLDs are used.

11

And yet even that is an actual real/registered domain:

Name:      example.com
Addresses: 2606:2800:220:1:248:1893:25c8:1946
           93.184.216.34

i.e. BAD.EXAMPLE - LOL

Actually IANA permits this domain to be used for this very purpose - you are so smart - LOL
image

They even have a cert for it:

image
image419×522 6.55 KB

image
image419×522 12.8 KB

1 Like
12

Thanks @webprofusion we have generated the certificate using https://certifytheweb.com and applied successfully.

1 Like
13

Can anyone help me with, how we can apply the certificate which is password protected that I have created from the certify the web application.

I am writing this config for my application.properties file:

server.ssl.enabled=true
server.ssl.key-store-type=PKCS12
server.ssl.key-store=classpath: certificate.pfx
server.ssl.key-store-password= demoPassword
server.port=443

After applying the certificate, when I try to run the application it throws the Port listening error.

14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.