1

How to set up a basic HTTPS server with let's encrypt free certificate service?

So far I followed let's encrypt setup on my CentOS 7 machine and got this nice output:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.clashofstones.com/fullchain.pem Your key file has been saved at:
/etc/letsencrypt/live/www.clashofstones.com/privkey.pem Your cert will expire on 2019-02-01.

I saw a few answers for HTTPS setup but they all use a *.keystore file and some password, which I didn't make.

char[] password = "simulator".toCharArray ();
KeyStore ks = KeyStore.getInstance ( "JKS" );
FileInputStream fis = new FileInputStream ( "lig.keystore" );
ks.load ( fis, password );

I also bump into nanohttpd, they seem to support HTTPS, but I didn't find an example for it.

It's supposed to be used like this:

NanoHTTPD myServer = new NanoHTTPD(port);
SSLServerSocketFactory sslServerSocketFactory;
String[] sslProtocols;
myServer.makeSecure(sslServerSocketFactory, sslProtocols);
myServer.start(timeOut, isDeamon);

So my question is to how to construct sslServerSocketFactory and sslProtocols using fullchain.pem and privkey.pem files.

Ilya Gazman
  • 31,250
  • 24
  • 137
  • 216
  • 1
    What do you mean by "basic HTTPS server"? Do you want a web server like Tomcat or Jetty to deploy a Java web application? Or do you want an embedded web server? For serving some simple static content you don't need a Java web server at all. You should first check your requirements and decide which server you want to use. Then read the specific HTTPS configuration docs. E.g. the HTTPS Jetty docs: https://www.eclipse.org/jetty/documentation/9.4.12.v20180830/configuring-ssl.html – vanje Nov 04 '18 at 23:57
  • @vanje I need an embeddable server for rest API. – Ilya Gazman Nov 05 '18 at 00:42
  • _If_ you need Java -- and I concur with @vanje you haven't shown you do -- then you need to convert the PEM files produced by LE client(s) to a keystore format usable by Java -- traditionally this was JKS, but since about 2015 PKCS12 is also fully supported. If you search "convert PEM to {Java,JKS,PKCS12}" all three have been asked and answered probably a hundred times over the last decade (including a few by me). For _some_ servers, you can just use system properties with JSSE and don't need any code at all, in which case it is offtopic for SO. – dave_thompson_085 Nov 05 '18 at 00:44
  • @dave_thompson_085 Tnx, this definitely solves half of my problem. For some reason, I didn't think about converting the files. However, the downside of this solution and hence the other half of the problem is the renewal. Cerbot combined with Cron take care for the automatic renewal of the certificate, the conversion and the automation of this process is something that I will have to develop. Also, I plan to have my web server running all the times, how will it get updated? – Ilya Gazman Nov 05 '18 at 03:57
  • Maybe this blog post might be helpful: https://danielflower.github.io/2017/04/08/Lets-Encrypt-Certs-with-embedded-Jetty.html This includes code to renew the keystore without shutting down the server. – vanje Nov 05 '18 at 10:26
  • If you strive for a pure Java solution, you could also create and renew the certificates via https://github.com/shred/acme4j . (Disclaimer: I'm the main developer.) – Shred Nov 05 '18 at 11:09
  • @Shred I looked into your repo and docs and checked your example, I saw that you are using `*.crt` and `*.key` files in my case it's *.pem files. Can you please provide an answer with creation and renewal using the files from my question – Ilya Gazman Nov 05 '18 at 11:58
  • @IlyaGazman PEM is just a container format. Actually acme4j delivers the `fullchain.pem` (= `*.crt`) and `privkey.pem` (= `*.key`) files from your example. – Shred Nov 05 '18 at 12:24

0 Answers0