Enhancement
Please add server.ssl.key-store-password-file-name property
In the previous/current versions of spring boot, if I have to enable SSL i.e. make it HTTPS. I have to provide the below details in application.properties or application.yaml file
server:
port: <port-no>
ssl:
key-alias: yourKeyAlias
key-store: path/to/keystore
key-store-password: yourKeyStorePassword
key-password: yourKeyPassword
trust-store: path/to/trust-store
trust-store-password: yourTrustStorePassword
https://docs.spring.io/spring-cloud-skipper/docs/1.0.0.BUILD-SNAPSHOT/reference/html/configuration-security-enabling-https.html
Here the property key-store-password is a plaintext password. I would be happy if I can provide a file location and Spring will read the file's content to use it as a password. I am aware I can write a few lines of code to create a custom web servlet. However, it would be easy to pass it as a property without any code to be written.
Comment From: wilkinsona
You can use a config tree for this. If you have a file named, for example, /etc/config/server/ssl/key-store-password and set spring.config.import=optional:configtree:/etc/config/ in application.properties, the server.ssl.key-store-password property will have its value set to the contents of the /etc/config/server/ssl/key-store-password file.
Comment From: Shubham-Vishwakarma
Hi @wilkinsona I have tried this and it failed. Got the error as password is wrong. Does this solution works only for cloud? I was trying it on my local machine.
Comment From: wilkinsona
No, it isn't cloud-specific and should work anywhere. If you can share a minimal example of it now working using Spring Boot 2.7.x or later we can take a look.
Comment From: Shubham-Vishwakarma
I have created this sample project with Java 17, Maven 3.9.2 and Spring Boot 3.0.0 https://github.com/Shubham-Vishwakarma/TestSpringBug
application.yaml https://github.com/Shubham-Vishwakarma/TestSpringBug/blob/main/src/main/resources/application.yaml
Error:
Error starting ApplicationContext. To display the condition evaluation report re-run your application with 'debug' enabled.
2023-06-27T19:54:26.557+05:30 ERROR 6476 --- [ main] o.s.boot.SpringApplication : Application run failed
org.springframework.context.ApplicationContextException: Failed to start bean 'webServerStartStop'
at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:181) ~[spring-context-6.0.2.jar:6.0.2]
at org.springframework.context.support.DefaultLifecycleProcessor$LifecycleGroup.start(DefaultLifecycleProcessor.java:356) ~[spring-context-6.0.2.jar:6.0.2]
at java.base/java.lang.Iterable.forEach(Iterable.java:75) ~[na:na]
at org.springframework.context.support.DefaultLifecycleProcessor.startBeans(DefaultLifecycleProcessor.java:155) ~[spring-context-6.0.2.jar:6.0.2]
at org.springframework.context.support.DefaultLifecycleProcessor.onRefresh(DefaultLifecycleProcessor.java:123) ~[spring-context-6.0.2.jar:6.0.2]
at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:932) ~[spring-context-6.0.2.jar:6.0.2]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:587) ~[spring-context-6.0.2.jar:6.0.2]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:146) ~[spring-boot-3.0.0.jar:3.0.0]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:730) ~[spring-boot-3.0.0.jar:3.0.0]
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:432) ~[spring-boot-3.0.0.jar:3.0.0]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:308) ~[spring-boot-3.0.0.jar:3.0.0]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1302) ~[spring-boot-3.0.0.jar:3.0.0]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1291) ~[spring-boot-3.0.0.jar:3.0.0]
at com.shubham.TestSpring.main(TestSpring.java:12) ~[classes/:na]
Caused by: org.springframework.boot.web.server.WebServerException: Unable to start embedded Tomcat server
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:235) ~[spring-boot-3.0.0.jar:3.0.0]
at org.springframework.boot.web.servlet.context.WebServerStartStopLifecycle.start(WebServerStartStopLifecycle.java:44) ~[spring-boot-3.0.0.jar:3.0.0]
at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:178) ~[spring-context-6.0.2.jar:6.0.2]
... 13 common frames omitted
Caused by: java.lang.IllegalArgumentException: standardService.connector.startFailed
at org.apache.catalina.core.StandardService.addConnector(StandardService.java:238) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:288) ~[spring-boot-3.0.0.jar:3.0.0]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:219) ~[spring-boot-3.0.0.jar:3.0.0]
... 15 common frames omitted
Caused by: org.apache.catalina.LifecycleException: Protocol handler start failed
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1085) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.catalina.core.StandardService.addConnector(StandardService.java:234) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
... 17 common frames omitted
Caused by: java.lang.IllegalArgumentException: keystore password was incorrect
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:106) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:70) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:206) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1172) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1258) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:588) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1082) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
... 19 common frames omitted
Caused by: java.io.IOException: keystore password was incorrect
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159) ~[na:na]
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:242) ~[na:na]
at java.base/java.security.KeyStore.load(KeyStore.java:1473) ~[na:na]
at org.apache.tomcat.util.security.KeyStoreUtil.load(KeyStoreUtil.java:69) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:217) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:207) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:283) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:104) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
... 25 common frames omitted
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
... 34 common frames omitted
Comment From: wilkinsona
You don't need to set key-store-password in application.yaml. The configree will set it for you. Right now, you're overwriting the value from the configtree and setting the password to the string /home/shubham/projects/TestSpring/src/main/resources/security/certificate.p12.pwd.
Comment From: Shubham-Vishwakarma
Thanks, it worked. The only limitation here is I need to keep the file name, same as the property name