By Michał Łoza, Backend Chapter Lead
As a tech-powered multi-brand restaurant, Kitopi’s operations and growth is highly dependent on effectively leveraging technology to create the very best employee, partner, and customer experiences. With a 250+-strong team of tech experts working across various areas of technology and product, we are pleased to launch our Tech Insights Series, where we take you on a deep-dive on a chosen tech-focused topic, to share knowledge and insights into the tech that is fueling our mission to satisfy the world’s appetite.
In today’s deep-dive, our Backend Chapter Lead Michal Loza shares his expertise on website encryption- a key security feature we employ to ensure customers can transact on our platforms safely and securely.
Amazon EC2 + SSL from Let’s encrypt in Spring Boot Application
You may often see a lock icon next to a website domain name in your browser. This icon tells you that the connection between browser and server is encrypted, which means that no one from your network can see what data you are sending and receiving. This security feature is particularly important for sites asking for sensitive data such as credit card numbers.
Today, most modern browsers require encryption, and flags a warning when encryption is not in place, even blocking any data from being sent to servers. Behind this excellence practice is the very important task for software developers to provide encryption for users. For developers, encryption must be in place at the early stage of development, and typically undergoes multiple rounds of testing even before the application is ready.
From a development perspective, implementing encryption requires the generation of a SSL (Secure Sockets Layer) certificate, which could be problematic because most providers would charge for it. And the cost is not always an option in all situations, for example, when building small applications or when intending to distribute for free.
This is when Let’s Encrypt comes in handy - as it allows generation of SSL certificates for free. While they are only valid for 3 months, they can be renewed with no additional cost. This article outlines how to utilize this service and how to install on a server that is running applications built in Java on Spring Boot framework. We’ll use the AWS EC2 platform that will provide a virtual machine to host our application.
Domain configuration
Let’s encrypt doesn’t allow you to generate its certificate on EC2 default domain (e.g. ec2–54–221–22–192.compute-1.amazonaws.com). You need to have your own domain. Fortunately, they are cheap. You can use for example OVH.com to buy one. I’m using this provider, and I can recommend it for buying domains there. In the package, together with the domain, you get DNS server where you can edit all records.
Okay, when we have our domain, we need to configure it. You can add it to Route 53 and host your DNS servers there. It would cost you $0.5 per month. Or, as I mention earlier, you can use DNS servers from OVH. I bought cheap domain with tld .ovh: loza.ovh. I want to have my server available under subdomain ec2.loza.ovh. IP of my machine is 54.221.22.192. I’m adding A record like below. You can obtain the IP address of your machine from AWS EC2 console.
After configuring this, we need to wait a couple of minutes, so the configuration can propagate across the network. After that, we can open the browser and type address: http://ec2.loza.ovh:8080 (my Spring Boot app is running on port 8080). As you can see, now our browser is displaying a warning that our traffic is not encrypted. Let’s do something with that.
Required packages
Before we can start requesting a certificate, we need to install certbot. But before that, we must add a new package repository. You have to run the below commands to achieve that.
When the installation is complete, we can request a certificate for our application.
Requesting a certificate
To request a certificate, we have to use the command showed below. As a -d parameter we are putting our domain name.
Certbot is starting own server on port 80, so you need to make sure that it’s available to use. After executing the command, you have to provide your email address. They would send you reminder about renewing your certificate, I didn’t get any spam from them yet. Next, you must accept T&C. The last thing is to decide if we want to share our email address with Electronic Frontier Foundation, it’s optional, and you don’t need to agree to this.
After going through this procedure, you can find certificates in /etc/letsencrypt/live/ec2.loza.ovh/ directory. Now we need to convert them to a format that java would accept.
Converting certificate
To get to the directory with certificates, we must be logged in as a root. Then we can change directory.
Now we can make conversion. As a name, we can provide any value, after that, we also need to provide this value in application configuration. During conversion, we’ll be asked to set up the password for certificate, you can leave it empty (but you should enter the password).
Okay, now we can copy our keystore to the directory with application and change its owner, so application can access it. After that, we can exit root session.
Enable SSL in Spring Boot Application
To enable SSL in Spring Boot Application, we need to provide some parameters in the application.yml. We can create this file in the same directory as we have our .jar file, or add to one that is within a .jar file. We have to add these parameters:
As key alias, we need to provide the same value as we provided in the name parameter during certificate conversion. Passwords also have to be the same as the ones for our certificate and key store (if we have any).
Ok, now we can restart (or run) our application. Make sure you have open port 8443 in your security group in AWS. When the application is running, we can open our page — for me, it would be https://ec2.loza.ovh:8443. Remember to put https:// before address, if you will forget about that, you’ll get an error message that this connection requires TLS enabled. After opening the page, you should see a lock next to your domain. That means that you have encrypted traffic between the server and your browser.
Certificate renewal
As I mentioned before, certificates are valid only for 3 months. But we can renew them. You can try running it in dry-run mode now.
To renew, you again need to have port 80 available to certbot server, so it can bind on that port. After that, you also have to convert your certificate, so Spring Boot would see new version.
That’s all
Now you and your users can enjoy your application with safe communication. Just remember to renew certificate when it would be close to expiring. But you’ll receive notification to your email about that.