spring-boot executable war keystore not found

Question

I build spring-boot executable war with ssl support. My application.properties file is:

server.port = 8443
server.ssl.key-store = classpath:keystore.jks
server.ssl.key-store-password = secret
server.ssl.key-password = another-secret

WAR file contains 'keystore.jks' file. But I get strange exception:

org.springframework.context.ApplicationContextException: Unable to start embedded container; nested exception is org.springframework.boot.context.embedded.EmbeddedServletContainerException: Could not find key store classpath:keystore.jks

Caused by: java.io.FileNotFoundException: class path resource [keystore.jks] cannot be resolved to absolute file path because it does not reside in the file system: jar:file:/D:/projects/vi3na/vi3na.web/target/vi3na.war!/WEB-INF/classes!/keystore.jks

What does sign '!' mean in the path 'D:/projects/vi3na/vi3na.web/target/vi3na.war!/WEB-INF/classes!/keystore.jks'

Answer 1

My bad was, by adding server.ssl.enabled=true without giving spring boot any details. so I just remove that.

Answer 2

Keystore is not readable from classpath other than Spring. (In case of kafka we don't have any option and kafka always expect location to be on filesystem not in jar file.) So I suggest to use below property and give absolute path to keystore location.

application.properties

spring.kafka.ssl.key-store-location=file:certificate.jks

In code:

@Value("${spring.kafka.ssl.key-store-location}")
    private Resource keystoreLocation;

props.put(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG, keystoreLocation.getFile().getAbsolutePath());

This way you can read the keystore. You may need to copy the file on file system rather than in Jar.

Answer 3

In my Spring Boot application I resolved this issue by placing .jks file into resource folder.

Answer 4

Execute the following steps to generate a Java KeyStore (JKS) and configure it in application.properties of your application:

1- Generate JKS

jmendoza@jmendoza:~$ keytool -genkey -alias selfsigned_localhost_sslserver -keyalg RSA -keysize 2048 -validity 700 -keypass changeit -storepass changeit -keystore ssl-server.jks

2- Config JKS in application.properties

server.port=8081
server.ssl.key-alias=electoralsystem-store
server.ssl.key-password=jmendoza
server.ssl.key-store=/home/jmendoza/IdeaProjects/dummy/config/electoralsystem-store.jks
server.ssl.key-store-provider=SUN
server.ssl.protocol=TLS
server.ssl.enabled-protocols=TLSv1.2

3- Invoke service from postman

https://localhost:8081/api/process

Note: For postman remember, Self-signed SSL certificates are being blocked: Fix this by turning off 'SSL certificate verification' in Settings > General

Answer 5

Update: As a result of this enhancement request, the limitation described below no longer applies. Tomcat 8.0.28+ and 7.0.66+ can load a key store from within a jar file.

Original answer

I guess that you're using Tomcat as the embedded servlet container? As noted in the reference documentation, Tomcat does not currently support loading a keystore or trust store from within a jar:

Tomcat requires the key store (and trust store if you’re using one) to be directly accessible on the filesystem, i.e. it cannot be read from within a jar file.

You should move keystore.jks out of your jar and update server.ssl.key-store with its location on the file system.