Let’s Encrypt Certificate Renewal: for Spring Boot

In previous article, we became familiar with how to fetch a valid certificate using Let’s Encrypt client. In this post, we see how we can renew our certificates and use them with Spring Boot.

Introduction

Let’s Encrypt certificates are only valid for 90 days. Some may say 3 months is too short comparing to validity period of certificates offered by other providers. They have two motivations for this strict decision: (1) limiting damage from key compromise or mis-issuance; (2) encouraging automation.

Renewal process

  1. Open your Let’s Encrypt client directory, I mean the certbot.
    Remarks:
    On the same machine that certificates and keys are located. Please read all of the remarks from the previous post, such as having python installed, having port 80 open, etc.
  2. Run the renew command as follows.

    This command checks the expiry date of certificates located in this machine (managed by Let’s Encrypt), and renew the ones that are either expired or about to expire.

We have new certificates, as simple as that!
As discussed in the previous post:

Spring-Boot does not support PEM files generated by Let’s Encrypt. Spring Boot supports PKCS12 extension. Using OpenSSL, we convert our certificate and private key to PKCS12.

Preparation for Spring Boot

Let’s create a PKCS#12 key store!

  1. Go to /etc/letsencrypt/live/example.com
  2. We convert the keys to PKCS12 using OpenSSL in the terminal as follows.

The file ‘keystore.p12’ with PKCS12 is now generated in ‘/etc/letsencrypt/live/example.com’.

But wait!

I assume the machine that you’re woking on is the one with running Spring Boot. It means that we’re not done yet! The previous ‘keystore.p12’ is still in the memory, meaning that you need to restart your application! 

It’s not always viable to simply restart a running application. There might be other ways to update it without restarting but it’s not in the scope of this post.

The take-home message

In this post, we saw how to renew an existing, about-to-expire certificate. Afterwards, we created a PKCS#12 keystore to make Spring Boot happy. If you really don’t unnecessarily play with configurations, it takes less than 5 minutes to have all things ready.

The main takeaway message for me is that Let’s Encrypt makes (re-)issuing certificates incredibly faster, easier, cheaper for everyone. And today we must enable our services to use HTTPS.

 

 

 

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

3 thoughts on “Let’s Encrypt Certificate Renewal: for Spring Boot

  1. Hi Mr.Heydari
    Would you please explain how we can use the part of article involved with linux command, in windows command prompt? Or I should ask would you please explain the article to use in windows environment?
    By the way can we use let’s encrypt in development environment?
    Thanks

    • Unfortunately I am not a Window user, but I assume it’s not that different. You may need a different tool to convert your certificates. I think you should Google it.

      About using Let’s Encrypt in development, if you have a valid domain name with which you’re working, yes you can.

Leave a Reply

Your email address will not be published. Required fields are marked *