Using your SSL certificate for your Spark web application

I’ve fallen in love with Spark recently. Being unexperienced with web development, I stumbled upon Spark when I was looking for a small framework for setting up a simple web application based on Java. My learning curve has been steep and my first website (consisting of nothing but a simple form) is running smoothly.

One issue I had to deal with was using my domain’s SSL certificate (proudly sponsored by Let’s Encrypt) for the integrated web server that comes with Spark. As you can read here, a keystore and a password need to be specified in order to achieve this.

Alright, nothing easier than coming up with a password, but how do I set up a Java keystore (.JKS) that uses my certificate? A quick Startpage search directed me to Maximilian Böhm’s tutorial on JKS and Let’s Encrypt certificates.
I could skip step 1 as I had created and installed my certificates already. For step 2, I needed to locate the directory in which my Plesk installation stored the fullchain.pem and privkey.pem files. I found them in:

I copied them to a temp directory to make things easier, and then ran the following command:

After typing in and remembering the password, the resulting pkcs.p12 file could be used to create the JKS file as described in step 3:

Here, SRC_STORE_PASS is the password chosen in step 2. Make sure to remember and distinguish those three passwords! Or use the same phrase for all of them.

The result was saved as keystore.pks. I changed my Spark code accordingly:

and put the file next my JAR. Done.

Renewal of Let’s Encrypt Certificates Using Plesk

Note to self: If the Let’s Encrypt extension for Plesk fails to renew a certificate (when triggered manually), disable the automatic forwarding to an SSL connection in the Apache settings. This forced secure connection seems to disturb the renewal script.

The error I got was something like this:

Let's Encrypt SSL certificate installation failed: Failed letsencrypt execution: 2016-01-19 13:56:07,885:WARNING:letsencrypt.cli:Root (sudo) is required to run most of letsencrypt functionality. Failed authorization procedure. (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from [REMOVED IP]: 401 IMPORTANT NOTES: - The following errors were reported by the server: Domain: Type: urn:acme:error:unauthorized Detail: Invalid response from /.well-known/acme- challenge/REMOVED-ID [REMOVED IP]: 401

See also this bug report on Github.

Let’s hope the extension is going to renew all certificates automatically every month from now on, as it should.