Skip to content

Provide autoconfiguration to enable TLS for Web Server using PEM files instead of Keystore #29273

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
making opened this issue Jan 5, 2022 · 1 comment
Closed

Provide autoconfiguration to enable TLS for Web Server using PEM files instead of Keystore #29273

making opened this issue Jan 5, 2022 · 1 comment
Assignees
@scottfrederick
Labels
theme: ssl Issues related to ssl support type: enhancement A general enhancement
Milestone
2.7.0-RC1

Comments

@making
Copy link
Member

making commented Jan 5, 2022
edited
Loading

It is now possible to make your web server TLS enabled using properties such as server.ssl.key-store.
However, it only supports Keystore and does not support the widely used PEM format.
In Kubernetes, it is common to store TLS certs as PEM files in Secret. cert-manager, which is popular for issuing certificates, also creates a Secret in PEM format.
If my understanding is correct, in order to enable TLS using this PEM file in a Spring Boot application, you need to convert it to a jks file using keytool. In Kubernetes initContainer to mount the TLS PEM file from Secret and perform this conversion process is required, which is very painful.
As far as I can simply find out, Tomcat and Netty (maybe others) can pass PEM files directly in addition to the KeyStore to enable TLS as follows.

	// Netty
	@Bean
	public NettyServerCustomizer customizer() {
		return httpServer -> httpServer.secure(sslContextSpec -> {
			Http11SslContextSpec spec = Http11SslContextSpec.forServer(new File("<path to server.crt>"), new File("<path to server.key>"));
			sslContextSpec.sslContext(spec);
		});
	}
	// Tomcat
	@Bean
	public TomcatConnectorCustomizer customizer() {
		return connector -> {
			AbstractHttp11JsseProtocol<?> protocol = (AbstractHttp11JsseProtocol) connector.getProtocolHandler();
			protocol.setSSLEnabled(true);
			protocol.setSSLCertificateFile("<path to server.crt>");
			protocol.setSSLCertificateKeyFile("<path to server.key>");
		};
	}

It tested above code with self-signed certificates generated as follows

mkdir certs
curl -sL https://gist.github.com/making/92dc4c3ab7ee7be8a31f5f8345c6df88/raw/fa6f6ef52b74af7af20a2ac8cd921a98f5650a91/generate-certs.sh > certs/generate-certs.sh 
docker run --rm -v ${PWD}/certs:/certs hitch bash /certs/generate-certs.sh 127-0-0-1.sslip.io

It would be very convenient if this was provided in the auto configuration.

(Tip: cert-manager uses PKCS#1 format by default. It won't work unless you set PKCS#8 in certificate.spec.privateKey.encoding)

related issue #24940
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 5, 2022
@philwebb philwebb added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 6, 2022
@philwebb philwebb added this to the 2.7.x milestone Jan 6, 2022
@philwebb
Copy link
Member

philwebb commented Jan 6, 2022

We'll have to also look at Jetty and Undertow. Regardless, I think this would be a nice enhancement.

@wilkinsona wilkinsona added the theme: ssl Issues related to ssl support label Jan 6, 2022
@scottfrederick scottfrederick self-assigned this Mar 21, 2022
@scottfrederick scottfrederick modified the milestones: 2.7.x, 2.7.0-RC1 Apr 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@scottfrederick scottfrederick

Labels
theme: ssl Issues related to ssl support type: enhancement A general enhancement
Projects
None yet
Milestone
2.7.0-RC1
Development

No branches or pull requests
5 participants
@scottfrederick @making @philwebb @wilkinsona @spring-projects-issues