HTTPS with Spring Boot and Let's Encrypt
Introduction
Create an HTTPS-enabled web app with Spring Boot. The application server uses Tomcat, which is automatically embedded within the Spring Boot app. The server certificate uses Let's Encrypt to create a formal certificate that is trusted on the Internet.
To use HTTPS, your server needs to be accessible from the Internet, so you need a domain name (FQDN). In my case, the server used for the test uses the following DDNS.
Private MyDNS.JP https://www.mydns.jp/
- When you start the EC2 server on AWS, the domain name associated with the public IP address will be given, but due to the Let's Encrypt policy, you cannot create a certificate with this name.
Development environment
Open JDK 14.0.1 (※) Spring Boot 4 4.6.2.RELEASE Development PC Windows 10 Pro 1909 Server AWS EC2 machine image Amazon Linux AMI 2018.03.0
- It is important to match the development PC and the JDK of the server.
Creating a server certificate
Create a server certificate to build a server over HTTPS. First, build a web server using AWS EC2.
Build an EC2 server
- Sign in to the AWS console and select EC2 from Services.
- Create an instance. The Amazon machine image should be "Amazon Linux AMI 2018.03.0 (HVM), SSD Volume Type". The minimum specifications are OK.
- Don't forget to download the key pair when you create the server.
Log in to the server with Tera Term. The user name is ec2-user and no password is required.
As the RSA key, specify the key file downloaded in step 3.
After logging in, let's update the package.
sudo yum -y update
Install Apache HTTP Server.
sudo yum -y install httpd mod_ssl
sudo service httpd start
Make the Apache root folder accessible to ec2-user.
sudo chown ec2-user /var/www/html/
OpenJDK installation
First, go to the OpenJDK site on your PC and download .tar.gz for Linux.
Upload the downloaded openjdk-14.0.1_linux-x64_bin.tar.gz to your server. You can upload by dragging and dropping to Tera Term.
Unzip it.
tar zxvf openjdk-14.0.1_linux-x64_bin.tar.gz
Create /etc/profile.d/env.sh to pass PATH to OpenJDK.
# /etc/profile.d/env.sh
export PATH=/home/ec2-user/jdk-14.0.1/bin:$PATH
Please log in to the server again to apply the PATH setting.
DDNS registration
Upload the server address to DDNS. In the case of MyDNS, you can upload it by accessing the site with wget. You need to register for a free account. For details, please check MyDNS Site.
wget -O - 'http://mydns123456:[email protected]/login.html'
Access list settings
The security group settings that are set by default on EC2 allow only SSH. Let's allow HTTP / HTTPS.
Select the instance you created in the Instances pane and click the Security Group link (such as launch-wizard-1).
Select Edit Inbound Rule, click Add Rule, and allow HTTP and HTTPS from anywhere.
Install Let's Encrypt Tool
Install git and socat.
sudo yum -y install git socat
Install Let's Encrypt automation shell acme.sh.
git clone https://github.com/acmesh-official/acme.sh.git
cd acme.sh
./acme.sh --install
Creating a certificate
Create a certificate with the following command. (The domain name is fake)
./acme.sh --issue -d my.domain.jp -w /var/www/html
Pack the generated certificate in pkcs12 format.
openssl pkcs12 -export -in ~/.acme.sh/my.domain.jp/my.domain.jp.cer -inkey ~/.acme.sh/my.domain.jp/my.domain.jp.key -out ~/my.domain.jp.p12
You will be prompted to enter the password, so set the password. Be sure to record this password as you will need it in your Spring Boot settings.
/home/ec2-user/my.domain.jp.p12 should have been created, so download it. I think it is easy to use the SCP function of Tera Term.
- Select "File"-"SSH SCP" of Tera Term
- Enter my.domain.jp.p12 in From: at the bottom.
- Change To: at the bottom to something that is easy to understand, such as the user's desktop.
- Click "Receive"
With the above, the PKCS12 file of the certificate by Let's Encrypt has been created.
Creating a Spring Boot app
Create a web application with Spring Boot. Here, the purpose is to explain HTTPS conversion, so the site itself will be very simple.
Creating a project
Start Spring Tool Suite and select "File"-"New"-"Spring Starter Project".
Dependencies can be just "Spring Web".
Create a sample page.
Create src / main / resources / static / index.html.
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>HTTPS Sample</title>
</head>
<body>
<h1>Let's Encrypt!</h1>
</body>
</html>
Enable HTTPS
Describe the following contents in src / main / resources / application.properties.
server.port=443
server.ssl.key-store=my.domain.jp.p12
server.ssl.key-store-password=MyPassword
server.ssl.keyStoreType=PKCS12
Copy the my.domain.jp.p12 file downloaded from the server to the root folder of your project.
Local operation check
Launch the Spring Boot app. Please start by "Run"-> "Run as"-> "Spring Boot App". Since the certificate has the FQDN set in DDNS, this warning will be displayed when accessing with localhost. If you ignore the warning and force it, the page will be displayed, but here it is enough to see this warning.
Upload to server
To run the site on the AWS server, you need to upload the program created by Spring Boot as a jar file.
Run "Run"-> "Run as"-> "Maven install" in Spring Tool Suite.
"SampleHTTPS-0.0.1-SNAPSHOT.jar" will be created in the "target" folder.
Right-click the file-> "Show in"-> "System Explorer" to open Explorer, and drag and drop it into Tera Term.
You also need ** my.domain.jp.p12 ** in the project folder (one level above target), so drag and drop it into Tera Term in the same way to upload it.
Start on the server
If Apache is running on the server, it will stop because the port conflicts with the application created by Spring Boot.
sudo service httpd stop
sudo chkconfig httpd off
Start the java program. However, port 443 cannot be bound by ec2-user, so su it before executing it.
sudo su
java -jar SampleHTTPS-0.0.1-SNAPSHOT.jar
If you can start it, let's display the site. The page displayed is just text, but you can see that the lock mark is displayed and HTTPS is enabled. If you look at the certificate, you can see that the certificate has been issued by Let's Encrypt.
It's been long, but that's it.
Referenced site
Enable SSL (HTTPS) in Spring boot
Let's Encrypt official https://letsencrypt.org/ja/docs/client-options/ From github of acme.sh https://github.com/acmesh-official/acme.sh
Recommended Posts