I wrote 2 blog posts about Let's Encrypt and Spring Boot.

我写了 2 篇关于 Let's Encrypt 和Spring Boot 的博客文章。

1. Issuing a certificate.Spring Boot Application Secured by Let's Encrypt Certificate
2. Renewing a certificate. Let's Encrypt Certificate Renewal: for Spring Boot

1. 颁发证书。由 Let's Encrypt 证书保护的 Spring Boot 应用程序
2. 更新证书。让我们加密证书更新：用于 Spring Boot

In a nutshell, steps are as follows:

简而言之，步骤如下：

1. Pulling the Let's Encrypt client(certbot).

2. Generating a certificate for your domain (e.g. example.com)

   ./certbot-auto certonly -a standalone -d example.com -d www.example.com

1. 拉取Let's Encrypt 客户端(certbot)。

2. 为您的域生成证书（例如 example.com）

   ./certbot-auto certonly -a standalone -d example.com -d www.example.com

Things are generated in /etc/letsencrypt/live/example.com. Spring Boot expects PKCS#12 formatted file. It means that you must convert the keys to a PKCS#12 keystore (e.g. using OpenSSL). As follows:

事物是在/etc/letsencrypt/live/example.com. Spring Boot 需要 PKCS#12 格式的文件。这意味着您必须将密钥转换为 PKCS#12 密钥库（例如使用 OpenSSL）。如下：

1. Open /etc/letsencrypt/live/example.comdirectory.
2. openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name tomcat -CAfile chain.pem -caname root

3. 打开 /etc/letsencrypt/live/example.com目录。
4. openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name tomcat -CAfile chain.pem -caname root

The file keystore.p12with PKCS12 is now generated in /etc/letsencrypt/live/example.com.

带有 PKCS12的文件keystore.p12现在以 /etc/letsencrypt/live/example.com.

It's time to configure your Spring Boot application. Open the application.properties file and put following properties there:

是时候配置您的 Spring Boot 应用程序了。打开 application.properties 文件并将以下属性放在那里：

server.port=8443
security.require-ssl=true
server.ssl.key-store=/etc/letsencrypt/live/example.com/keystore.p12
server.ssl.key-store-password=<your-password>
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=tomcat

Read my blog postfor further details and remarks.

阅读我的博客文章以获取更多详细信息和评论。

Step 1: Download certbot from git

第 1 步：从 git 下载 certbot

You need to fetch the source code of Let's Encrypt on your server which your domain address is pointing to. This step may take a couple minutes.

您需要在您的域地址指向的服务器上获取 Let's Encrypt 的源代码。此步骤可能需要几分钟时间。

$ git clone https://github.com/certbot/certbot

$ cd certbot

$ ./certbot-auto --help

$ git clone https://github.com/certbot/certbot

$ cd certbot

$ ./certbot-auto --help

Remark: Python 2.7.8 (or above) should be installed beforehand.

备注：需要预先安装 Python 2.7.8（或更高版本）。

Step2: generates certificates and a private key

Step2：生成证书和私钥

By executing following command in your terminal, Let's Encrypt generates certificates and a private key for you.

通过在终端中执行以下命令，Let's Encrypt 会为您生成证书和私钥。

$ ./certbot-auto certonly -a standalone \

-d example.com -d example.com

$ ./certbot-auto certonly -a 独立 \

-d example.com -d example.com

Remark:Keys are generated in /etc/letsencrypt/live/example.com directory

备注：密钥在/etc/letsencrypt/live/example.com目录下生成

Step3: Generate PKCS12 Files From PEM Files

步骤 3：从 PEM 文件生成 PKCS12 文件

To convert the PEM files to PKCS12 version: Go to /etc/letsencrypt/live/example.com convert the keys to PKCS12 using OpenSSL in the terminal as follows.

要将 PEM 文件转换为 PKCS12 版本：转到 /etc/letsencrypt/live/example.com 使用终端中的 OpenSSL 将密钥转换为 PKCS12，如下所示。

$ openssl pkcs12 -export -in fullchain.pem \

       -inkey privkey.pem \

           -out keystore.p12 \

       -name tomcat \

       -CAfile chain.pem \

       -caname root

$ openssl pkcs12 -export -in fullchain.pem \

       -inkey privkey.pem \

           -out keystore.p12 \

       -name tomcat \

       -CAfile chain.pem \

       -caname root

Enter Export Password:

输入导出密码：

Verifying - Enter Export Password:

验证 - 输入导出密码：

(Note:- Write single line at a time and press enter)

（注意：- 一次写一行并按回车键）

Step4: Configuration of Spring Boot Application

Step4：配置Spring Boot应用

Open your 'application.properties'Put this configuration there.

打开你的'application.properties'把这个配置放在那里。

server.port=8443 security.require-ssl=true

server.ssl.key-store=/etc/letsencrypt/live/example.com/keystore.p12

server.ssl.key-store-password= password

server.ssl.keyStoreType= PKCS12

server.ssl.keyAlias= tomcat

server.port=8443 security.require-ssl=true

server.ssl.key-store=/etc/letsencrypt/live/ example.com/ keystore.p12

server.ssl.key-store-password=密码

server.ssl.keyStoreType=PKCS12

server.ssl.keyAlias= tomcat

Another option is to use Spring Boot Starter ACME:

另一种选择是使用 Spring Boot Starter ACME：

https://github.com/creactiviti/spring-boot-starter-acme

https://github.com/creactiviti/spring-boot-starter-acme

ACME (Automatic Certificate Management Environment) it the protocol used by LetsEncrypt to automatically issue certs.

ACME（自动证书管理环境）是 LetsEncrypt 用于自动颁发证书的协议。

For spring boot webflux the configuration of properties changed

对于 spring boot webflux，属性配置发生了变化

server.port=443

server.ssl.enabled=true//the changed line
server.ssl.keyAlias=netty
server.ssl.key-store=path
server.ssl.key-store-password=password
server.ssl.keyStoreType=PKCS12

1. Get an SSL certificate from letsencrypt
2. Add it into a keystore using the keytoolcommand in Java
3. Configure your Spring application to use the keystore generated above

1. 从 letencrypt 获取 SSL 证书
2. 使用keytoolJava 中的命令将其添加到密钥库中
3. 配置您的 Spring 应用程序以使用上面生成的密钥库

The file should look like:

该文件应如下所示：

 server.port = 8443
 server.ssl.key-store = classpath:sample.jks
 server.ssl.key-store-password = secret
 server.ssl.key-password = password