How to install Let's Encrypt to my droplet with dockerized spring boot app?

October 29, 2019 728 views
Docker Ubuntu 18.04 Let's Encrypt
yonetmen
By:
yonetmen

Hello everybody,

I created a droplet (Docker 5:19.03.1~3 on 18.04). I pulled my docker image from docker hub and run it. My docker image contains a Spring boot application. (tomcat embedded). It’s working nice but I want to add https (Let’s encrypt) to my page. I found some documents, tutorials but everybody talks about nginx & apache. Can someone please help me to install https to my spring boot (embedded tomcat) application on my droplet (Ubuntu 18.04.3 LTS bionic) The page is up and running now and I will keep it running while fixing this if possible.

Sign In to Comment
3 Answers
bobbyiliev MOD October 30, 2019

Hello,

I would suggest checking this answer here.

What they are suggesting is the following:

  • Get the certbot from here:

https://github.com/certbot/certbot

  • Generate a certificate for your domain:
./certbot-auto certonly -a standalone -d example.com -d www.example.com

  • The SSL would be stored at /etc/letsencrypt/live/example.com. Spring Boot expects PKCS#12 formatted file. So t convert the certificate you could do the following:

  • Go to the /etc/letsencrypt/live/example.com directory.

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name tomcat -CAfile chain.pem -caname root

  • The file keystore.p12 with PKCS12 is now generated in /etc/letsencrypt/live/example.com

  • Then you have to configure your Spring Boot app. In your application.properties file and put the following properties there:

server.port=8443
security.require-ssl=true
server.ssl.key-store=/etc/letsencrypt/live/example.com/keystore.p12
server.ssl.key-store-password=<your-password>
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=tomcat

I would recommend going through the two original articles as well:

Hope that this helps!
Regards,
Bobby

yonetmen October 30, 2019
[deleted]
yonetmen October 30, 2019

I follow the instructions but having problems. Let me tell you about my process. I just created a new droplet (Docker 5:19.03.1~3 on 18.04). Then I opened an SSH into my droplet. Logged in as root. I run the command to pull and run my docker image from the docker hub. I logged in my Godaddy account and updated A record to pointing my new droplet. At this point, when I browse into gizartblog.com everything works just fine.

Now, In my ssh console I ran the command in the current folder (root):

git clone https://github.com/certbot/certbot

Inside newly-created certbot folder, I ran

./certbot-auto certonly -a standalone -d gizartblog.com -d www.gizartblog.com

I get this error after this command:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for gizartblog.com
http-01 challenge for www.gizartblog.com
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

I run this command to run my docker image:

docker run -d -p 80:8080 myusername/myproject:latest
  • yonetmen October 30, 2019

    Nobody can explain step by step how to fix this issue? The instructions above are all over the internet but it’s not really working.

  • bobbyiliev MOD October 31, 2019

    Hi,

    Have you tried starting the container first and then running the certbot command?

    The error that you are getting is saying that certbot is unable to connect on port 80, this would happen if you don’t have anything listening on that port.

    Let me know how it goes.
    Regards,
    Bobby

    • yonetmen October 31, 2019

      Hi Bobby,

      I already started the container first with docker run -d -p 80:8080 myusername/myproject:latest and then ran the certbort command.

      • bobbyiliev MOD November 5, 2019

        Hello,

        Note that in order to issue the SSL certificate with Let’s Encrypt your domain name needs to be pointing to the droplet’s IP address in order for Let’s Encrypt to be able to validate that you actually own the domain name.

        If the domain name is not pointing to the IP address, you would get that Problem binding to port 80: Could not bind to IPv4 or IPv6. error.

        If the above approach is not working, I would just suggest using Nginx as a reverse proxy and SSL termination.

        Hope that this helps!
        Regards,
        Bobby

Have another answer? Share your knowledge.

Related