Free SSL Certificate for Play Framework by Ravinder Payal


Author : @Ravinder Payal

I understand that it’s too simple thing but frustrates a lot when we don’t have the recipe to proceed and make it work, so worry not here’re the complete steps, just follow in given sequence with a coffee in hand. By the time you finish the coffee, your Play Framework based server will be running with SSL/TLS security.

For generating the TLS/SSL certficate using DNS challenge

sudo certbot certonly --manual  -m youremailaddress@example.com  --agree-tos -d subdomain.example.com  --preferred-challenges dns

On pressing enter it'll show something like this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for subdomain.example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:
`
Please enter `Y` if you are OK with it and want to continue. `N` will close the request as you must agree to IP logging to proceed.

On proceeding further it'll ask you to add TXT record record under the given domain name with `_acme-challenge` appended to it.

`Please deploy a DNS TXT record under the name
_acme-challenge.subdomain.example.com with the following value:

ROBJ8UCDCMV_Uc5m9oid1heU52wsgcYF1OK0-PbgQV4

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Before pressing enter when asked to create TXT record under the chosen domain, do confirm the entry of TXT record using `nslookup`

nslookup -q=TXT _acme-challenge.subdomain.example.com

If it shows TXT record same as asked by Let's Encrypt, you are good to go ahead.

On completion you will find certificate in:

/etc/letsencrypt/archive/subdomain.example.com/

Note: You might need super user(sudo su) access for accessing this directory and files in it.

Now, we need to openssl to export the certificates and keys to pks12 format and then using keytool we will import pks12 file into jks file. openssl pkcs12 -export -in fullchain1.pem -inkey privkey1.pem -out keystore.p12 -CAfile cert.pem -caname root

It’ll ask password, enter any password of your choice, do remember it as it’ll be used for. For reference I will call it source keystore password.

Now, once p12 file is generated using openssl and SSL certificates generated by Let’s Encrypt, we are going to use keytool for export it as jks(Java Key Store

keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore cert.jks -deststoretype jks

It'll give something like this

Importing keystore keystore.p12 to cert.jks...
Enter destination keystore password:  
Re-enter new password: 
Enter source keystore password:  
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore cert.jks -destkeystore cert.jks -deststoretype pkcs12".

On pressing enter it'll ask you for destination keystore password, please enter any password but do remember it as we need to provide it to play framework. After that you need to provide the source keystore password which you entered while running the openssl command. On successull running of all the commands in right sequence you will get the `JKS` file as `cert.jks`. Put `cert.jks` in conf directory available in root of the play project and while running the play framework provide the ssl certificatelike this:

-Dhttps.port=443 -Dplay.server.https.keyStore.path=cert.jks -Dplay.server.https.keyStore.password=your_destination_keystore_password

Note: Please use same password for pk12 and jks, otherwise Play won’t be able to read both certificate and private key.

Cheers, Enjoy the additioanl security layer provided by TLS/SSL.

Please do comment if you have any doubts, I will revert back within a day.


Written on July 20, 2019