Let’s Encrypt is one of the well-known free SSL certificates. Here is a share of today’s research using the Certbot tool to generate free SSL certificates.
1. Connect to the server and install Certbot
Connect to the server and enter the command to install Certbot:
sudo apt install certbot
Copy the code2. Start to manually generate the certificate
Run the following command:
Sudo certbot certonly -d "Your domain name" -d "*. Your domain name - "manual - preferred - challenges DNS server, https://acme-v02.api.letsencrypt.org/directoryCopy the codeThe -d parameter adds multiple domain names. Here you see the wildcard used in the second -d in order to generate a certificate that also supports a generic domain name.
For example, if my domain name is swsk33-web.link, the command to generate the certificate is as follows:
sudo certbot certonly -d "swsk33-web.link" -d "*.swsk33-web.link" --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
Copy the codeThe certificate will support swsk33-web.link and *.swsk33-web.link.
You are then prompted to enter your email address:
Type in your email, press Enter.
Then prompt you if you agree to the agreement:
Type a, press Enter.
Then ask if you’d like to receive an email subscription:
That’s optional. I’m going to say no here. Type n enter.
If you do not record the IP address, you must select yes, otherwise the certificate will not be generated:
Type y, press Enter.
You will then be asked to add TXT records to the domain name:
Go to the domain name provider login and add records in the domain name resolution inside, press Enter, may pop up a message asking you to add TXT records, but this record value is different, so add this record to the domain name resolution:
In other words, add two TXT records.
Press enter, and the certificate will be generated. The following figure shows success!
The certificate is generated in /etc/letsencrypt/live/your domain directory.
3. Convert the PEM certificate to p12 for configuration in Spring Boot
To convert the certificate, run the following command:
Sudo openssl pkcs12 -export -in "Path of your certificate file" -inkey "Path of your private key file" -out "Specifies the path of the generated P12 certificate file"Copy the codeFor example, on my side:
sudo openssl pkcs12 -export -in "/etc/letsencrypt/live/swsk33-web.link/cert.pem" -inkey "/etc/letsencrypt/live/swsk33-web.link/privkey.pem" -out "/etc/letsencrypt/live/swsk33-web.link/key.p12"
Copy the codeExecuting this command will enable you to set the password for the P12 certificate. Set it by yourself and remember it later.
And there you have it!
Then open the application. Properties configuration file for your Spring Boot project and add the following configuration:
Server.ssl. key-store=file: path of the newly generated P12 certificate server.ssl.key-store-password= password of the P12 certificate set when the P12 certificate is just generated server.ssl.keyStoreType=PKCS12Copy the codeFor example, my configuration:
# SSL certificate set server. SSL. Key - store = file: / etc/letsencrypt/live/swsk33 - web. The link/key p12 server SSL. The key - store - password = 123456 server.ssl.keyStoreType=PKCS12Copy the codeStart the project and find that your site has become HTTPS!
4. Renewal, revocation
But this certificate is only valid for three months, so we need to renew it roughly two months later. Renew and convert the PEM to the P12 certificate by running the following command:
Sudo certbot renew sudo openssl pkCS12 -export -in "Renew certificate file path" -inkey "renew private key file path" -out "renew certificate file path for p12"Copy the codeNote that it is recommended that the specified p12 file path and password be the same as those generated for the first time during the conversion after renewal, so as to save the need to change the Spring Boot configuration.
If the certificate is no longer needed, we can revoke it.
Note that revocation does not remove the certificate:
Sudo certbot REVOKE --cert-path "/etc/letsencrypt/live/ Your certificate title /cert.pem"Copy the codeTo view your own certificates, run the certbot Certificates command:
For example, IF I revoke my certificate:
sudo certbot revoke --cert-path "/etc/letsencrypt/live/swsk33-web.link/cert.pem"
Copy the codeEnter Y as prompted to revoke.
You can then manually delete /etc/letsencrypt/live/your domain directory.
If any problem occurs, you can manually delete /etc/letsencrypt and try again.