Letsencrypt Https certificate on Spring Boot 2 and Nginx

06/09/2019 20:04

Getting the certificate

In this article, Assuming you already have Certbot managing https certificate for you (if not, you can start by following one of the tutorials in resources). This means you can find a path similar to this in your server:


Our Spring Boot application expects PKCS12. We need to create a keystore. Doing that you will be asked to provide a password. This password needs to be provided to your Spring application as well (Find a secure way to do it. We are using application properties in this example for simplicity).

cd /etc/letsencrypt/live/

The value under -name will be the alias of this key in the keystore.

openssl pkcs12 -export -in fullchain.pem \
-inkey privkey.pem \
-out keystore.p12 \
-name mydomainkeyalias \
-CAfile chain.pem \
-caname root

If you are planning to include this command in Certbot's deploy hook, you will also need to provide the password in one go. You can do so by providing the -passout option:

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem \
-out keystore.p12 \
-passout pass:keystorepassword \
-name mydomainkeyalias \
-CAfile chain.pem \
-caname root

Spring boot 2 application

We will just need a few properties and our custom HTTPS configuration.


Edit your domain Nginx configuration to reflect our latest changes.

First, you will need to make sure your first <server> does not contain
listen 80 If this is the case, any non HTTPS request will just be consumed by it

Certbot should have already added to it a few things to get 443 ssl properly managed.

Add the second server to return HTTP 301 redirect to HTTPS version of URL. In this case we will add listen 80 to it.

Your final configuration may look more or less like this.

And once we are done, we will need to reload the configuration.

nginx -s reload

Once this is done, all requests to your host should be automatically redirected to their HTTPS version. And all https urls served by your spring boot application should be properly recognised by the browser as a secure web site.