To add the certificate to a Spring Boot 2 project

I have created a project in Spring Boot 2. I will be using Linux as the server and Docker to build all the services. Right now I use an unsigned certificate, created with keytool, which I load into my project like this:

server.port = 8443
server.address = localhost
server.ssl.key-store = classpath: KeyStore.jks
server.ssl.key-store-password = password
server.ssl.keyStoreType = JKS
server.ssl.keyAlias ​​= miodominio

With the above configuration I can see the website by typing https://ip.server. Is it possible to create a KeyStore.jks file with your signature? I would like to type https://ip.server and see the Let's Encrypt certification. I haven't bought a domain name yet because I don't know how to do it but I'm trying to figure out how. To get the certificate, do I first have to purchase a domain name or is a static IP sufficient?
If I change IP because I change instance, do I have to recreate the certificate?
I need a step by step guide explaining how to add signed https on my project because I'm not a developer but a tech enthusiast.
Thank you

Let's Encrypt currently does not provide certificates for IP addresses and unfortunately plans for this have been shelved. It's unsure if and/or when Let's Encrypt will provide certs for IP addresses.

Also unfortunately, there was a free Chinese CA offering certs for IP addresses (pki.plus), but that CA is somehow gone.. No clue how/where/what tho..

The recently started "Google Trust Services" does offer certs for IP addresses, but only for customers who own an entire IANA block or something like that. See Automate Public Certificate Lifecycle Management via ACME Client API | Google Cloud Blog for more info. So that too isn't an option I guess.

There are some possibilities to get a free domain name such as Free and paid domains though.

Not if you have a certificate for a hostname (which is most likely the only possibility anyway). The browser and/or certificate couldn't care less which IP address that hostname resolves to :slight_smile:

I'm afraid I personally can't provide that, as I'm not familiar with Spring Boot 2 at all.

7 Likes

I have added a domain name and a self-signed certificate to my site and everything works fine. If you explain to me how to add your certificate to Spring Boot 2.7.0, I will be happy to replace it. As a web server I use Tomcat 9 but on Docker Compose I don't have an explicit service because with Spring Boot 2 I produced a .jar file with an embedded version of Tomcat. My Docker configuration is as follows:

version: '3.9'
services:
  java:
    build: ./java
    image: image-java-eb:v.1.0
    container_name: container-java-eb
    ports:
      - 443:8443
    volumes:
      - type: bind
        source: ./volumes/data-java
        target: /appfolder
    restart: on-failure
    networks:
      - eb
networks:
  eb:
FROM openjdk:11.0.15-jre-slim
EXPOSE 8443
WORKDIR /appfolder
CMD ["java", "-jar", "/appfolder/myapp.jar"]

Also on Docker I also have PostgreSQL on port 5432 and pgAdmin on port 80. If I have to change the port of pgAdmin it's not a problem. I'd like to reach pgAdmin with https and letsencrypt too if possible.
Thank you

1 Like

HI @federico.galimberti I got your DM. If you look at similar "spring boot docker let's encrypt" guides you'll find that you first need to get your certificate from Let's Encrypt (generally using certbot, it depends what your host OS is), then apply it to your app configuration within docker:

You would likely use certbot (the guide is old and mentions certbot-auto which I don't think is still a thing).

If your domain is pointing to your host machine then you can use http validation to provide domain control to Let's Encrypt, if not you can try to use DNS validation instead.

5 Likes

A thousand thanks.
certbot-auto no longer exists, driving is too old.
I had found this guide:

but it is no longer usable because it uses certbot-auto.
I found this new guide:

But it doesn't work and I don't understand why. I stop at this point:

sudo certbot certonly --standalone -d nomeadominio.qualcosa
ubuntu@webserver:~$ sudo certbot certonly --standalone -d nomeadominio.qualcosa
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for nomeadominio.qualcosa
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: nomeadominio.qualcosa
Type: dns
Detail: no valid A records found for nomeadominio.qualcosa; no valid AAAA records found for nomeadominio.qualcosa
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the li sted domains point to this machine and that it can accept inbound connections from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

You can only use Let's Encrypt to get certificates for real domains, this doesn't appear to be a real public domain.

5 Likes

My site is a free domain open on freenom. I edited the error code because I don't want to leave a trace of the domain name I am using on the forum.
The translation into English is a 'domainname.something'.

1 Like

Where does port 80 go?

5 Likes

I use port 80 for pgAdmin. However now I have removed all Docker containers. I am trying to install Let's Encrypt from an OS with no container running.

services:
  postgresql-postgis:
    ...
    ports:
      - 5432:5432
    ...

  pgadmin:
    ...
    ports:
      - 80:80
    ...

  java:
    ...
    ports:
      - 443:8443
    ...

volumes:
  data-postgresql:

networks:
  eb:

Can you tell me why I can't get these certificates?
Where am I wrong?

Input

sudo snap install core; sudo snap refresh core 
sudo apt remove certbot
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo ufw allow 80
sudo ufw allow 443
sudo certbot certonly --standalone -d mydomain.tk -d www.mydomain.tk

Output

ubuntu@webserver:~$ sudo certbot certonly --standalone -d mydomain.tk -d www.mydomain.tk
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for mydomain.tk and www.mydomain.tk

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: mydomain.tk
  Type:   connection
  Detail: ###.###.###.###: Fetching http://mydomain.tk/.well-known/acme-challenge/__L...0: Error getting validation data

  Domain: www.mydomain.tk
  Type:   connection
  Detail: ###.###.###.###: Fetching http://www.mydomain.tk/.well-known/acme-challenge/k...4: Error getting validation data

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Source:

You are using the standalone option so that certbot runs a temporary webserver on port 80 in order to serve the challenge response. To do this you first need to ensure that you have stopped any other webserver that may be using port 80.

6 Likes

Thanks for the tip but I already knew about it. I deleted all Docker containers before making these attempts. I solved everything. The problem was the Oracle Cloud requiring additional configurations. This Cloud works differently from the others I have tried. Now I move on to converting all the certificates and everything else.

1 Like

@rg305, I found your code on the forum:
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12
The problem is that with your code I don't know what to write after server.ssl.keyAlias in Spring Boot.

1 Like

I managed to create the certificate with Linux and import it into Docker where there is a container with Spring Boot and Tomcat embedded.
Now I need to add a nginx, apache or something similar and set up a reverse proxy.

1 Like