Chuck D'Antonio

HomeJourneyTalksBlogResume

← Blog

Using TLS locally

December 20, 2018

A huge part of sales engineering is doing demos. One of the things I demo a lot is Spring Boot. Regardless of the feature I’m showing off, I want to make sure I’m showing best practices that my audience can bring to their work. One of these practices is using TLS everywhere.

In contrast, I also want my demonstrations to be able to run locally on my laptop. You never know when something’s going to go wrong with the network and being able to work self-contained is a big plus. Boot apps run great locally, but by default they’re going to be in-the-clear HTTP on port 8080. That’s not a best practice I want to encourage.

This is a tradeoff that’s not too hard to accept, but I wanted to see if I could easily avoid it. Self-signed certs are an option, but cause an extra headache managing trust relationship.

I use Let’s Encrypt for certificates for all of my public-facing work. They won’t issue me a certificate for localhost (nor should they). But they’ll issue one for any subdomain that I own, and they issue wildcards. There’s something I can work with.

With a domain I own, I can map any address to 127.0.0.1. To make this simple, I pointed *.local.crdant.io to 127.0.0.1 and then used certbot to create one wildcard certificate I can use for all my local demos.

$ export DOMAIN=local.crdant.io
$ certbot certonly --server https://acme-v02.api.letsencrypt.org/directory \
    --certname ${DOMAIN} --domain '*.${DOMAIN}' \
    --config-dir /usr/local/etc/certbot \
    --work-dir /usr/local/var/certbot \
    --logs-dir /usr/local/var/log \
    --dns-google --dns-google-propagation-seconds 120 \
    --dns-google-credentials $GOOGLE_CREDENTIALS_JSON

and then create a PKCS12 file for it

$ export KEY_FILE=/usr/local/etc/certbot/live/${DOMAIN}/privkey.pem
$ export CERT_FILE=/usr/local/etc/certbot/live/${DOMAIN}/fullchain.pem
$ openssl pkcs12 -export -name local -in $CERT_FILE -inkey $KEY_FILE \
    -out /usr/local/etc/certbot/live/${DOMAIN}/certificate.p12

I can then point a Spring Boot application that I’m running locally to that PKCS12 file and use TLS across all of my demos. It only takes a couple of lines in bootstrap.yml.

server:
  ssl:
    key-store: /usr/local/etc/certbot/live/local.crdant.io/certificate.p12
    keyStoreType: PKCS12
    keyAlias: local
    key-store-password: numb-avaunt-barbados-pelt
Gravatar for chuck@thedantonios.net

Written by Chuck D'Antonio, a zealous customer advocate and father to 2(+1). Chuck integrates work as system architect, servant leader, and trusted advisor with a passion for cooking, composing cocktails, competitive open water swimming.

Built with GatsbyJS