Step 6: Set Up Custom Domain and SSL Certificate

Lecture Slides

Either click on the slide area below or click here to view it in fullscreen. Use your keypad to navigate the slides.

A PDF printable handout version of the slides is available here

Introduction

In this final step, you’ll configure a custom domain for your Spring Boot application and secure it with an SSL certificate. This will make your application accessible via a professional domain name with HTTPS encryption, providing both credibility and security for your users.

Understanding SSL and Domain Configuration

SSL (Secure Sockets Layer) certificates encrypt data transmitted between your users’ browsers and your server, while custom domains provide a professional, memorable way to access your application. AWS Lightsail makes both of these configurations straightforward through integrated services.

TipWhy SSL Matters

Modern browsers mark HTTP sites as “Not Secure,” which can deter users. SSL certificates are now essential for any web application, and search engines favor HTTPS sites in rankings.

Prerequisites for This Step

Before proceeding, ensure you have:

• A registered domain name (from any domain registrar)
• Access to your domain’s DNS management
• Your Lightsail instance running with Nginx configured (from Step 5)
• Your Spring Boot application accessible via your instance’s public IP

Setting Up DNS and Domain Configuration

Step 1: Create a Lightsail DNS Zone

1. In the Lightsail console, navigate to Networking → DNS zones
2. Click Create DNS zone
3. Enter your domain name (e.g., example.com)
4. Click Create DNS zone

NoteDNS Zone Purpose

The DNS zone will manage all DNS records for your domain, making it easy to point your domain to your Lightsail instance.

Step 2: Configure DNS Records

Once your DNS zone is created, you’ll need to add the following records:

1. A Record: Point your domain to your Lightsail instance
   • Subdomain: Leave blank for root domain, or enter www for www subdomain
   • Resolves to: Select your Lightsail instance from the dropdown
2. CNAME Record (optional, for www subdomain):
   • Subdomain: www
   • Maps to: Your root domain (e.g., example.com)

# Example DNS configuration
# A Record: example.com → Your Lightsail Instance IP
# CNAME: www.example.com → example.com

Step 3: Update Your Domain Registrar’s Name Servers

1. Copy the name servers provided by Lightsail (they’ll look like ns-xxx.awsdns-xxx.com)
2. Log into your domain registrar’s control panel
3. Replace the existing name servers with the Lightsail name servers
4. Save the changes

WarningDNS Propagation Time

DNS changes can take up to 48 hours to propagate worldwide, though they usually take effect within a few hours. Be patient during this process.

Installing and Configuring SSL Certificate

Step 1: Install Certbot

SSH into your Lightsail instance and install Certbot, which will manage your SSL certificates:

# Update package list
sudo apt update

# Install Certbot and Nginx plugin
sudo apt install certbot python3-certbot-nginx -y

# Verify installation
certbot --version

Step 2: Configure Nginx for Your Domain

Update your Nginx configuration to include your domain name:

# Edit the Nginx configuration
sudo nano /etc/nginx/sites-available/default

Update the server block to include your domain:

server {
    listen 80;
    server_name example.com www.example.com;  # Replace with your domain

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Test and reload the configuration:

# Test configuration
sudo nginx -t

# Reload Nginx
sudo systemctl reload nginx

Step 3: Obtain SSL Certificate

Use Certbot to automatically obtain and install an SSL certificate:

# Obtain and install SSL certificate
sudo certbot --nginx -d example.com -d www.example.com

# Follow the prompts:
# 1. Enter your email address for certificate expiration notifications
# 2. Agree to terms of service
# 3. Choose whether to share email with EFF (optional)
# 4. Certbot will automatically configure HTTPS redirect

TipAutomatic HTTPS Redirect

Certbot will automatically modify your Nginx configuration to redirect HTTP traffic to HTTPS, ensuring all connections are secure.

Configuring Automatic Certificate Renewal

SSL certificates from Let’s Encrypt expire every 90 days, but Certbot can automatically renew them:

Step 1: Test Automatic Renewal

# Test the renewal process (dry run)
sudo certbot renew --dry-run

Step 2: Set Up Automatic Renewal

The automatic renewal should already be configured via systemd timer, but you can verify:

# Check if the timer is active
sudo systemctl status certbot.timer

# Enable the timer if it's not active
sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer

Updating Spring Boot Configuration for HTTPS

Step 1: Configure HTTPS in Application Properties

Update your production profile to handle HTTPS properly:

# src/main/resources/application-prod.properties

# Server configuration for HTTPS
server.forward-headers-strategy=native
server.tomcat.use-relative-redirects=true

# Security headers
server.servlet.session.cookie.secure=true
server.servlet.session.cookie.http-only=true

Step 2: Update Security Configuration (if applicable)

If you’re using Spring Security, ensure it’s configured for HTTPS:

@Configuration
@EnableWebSecurity
public class SecurityConfig {
    
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .requiresChannel(channel -> 
                channel.requestMatchers(r -> r.getHeader("X-Forwarded-Proto") != null)
                       .requiresSecure())
            .headers(headers -> 
                headers.httpStrictTransportSecurity(hstsConfig -> 
                    hstsConfig.maxAgeInSeconds(31536000)
                             .includeSubdomains(true)));
        
        return http.build();
    }
}

Step 3: Rebuild and Deploy

Rebuild your application with the HTTPS configurations:

# On your development machine
./mvnw clean package -DskipTests

# Transfer to Lightsail instance
scp target/myapp.jar ubuntu@your-domain.com:~/

# On Lightsail instance
sudo systemctl stop myapp
sudo cp /home/ubuntu/myapp.jar /opt/myapp/
sudo systemctl start myapp

Verifying Your HTTPS Setup

Step 1: Test Domain Access

1. Open your browser and navigate to https://yourdomain.com
2. Verify the SSL certificate is valid (look for the lock icon)
3. Check that HTTP automatically redirects to HTTPS

Step 2: Test SSL Configuration

Use online tools to verify your SSL setup:

# Test SSL certificate from command line
curl -I https://yourdomain.com

# Check SSL rating
# Visit: https://www.ssllabs.com/ssltest/

Step 3: Monitor Certificate Status

# Check certificate expiration
sudo certbot certificates

# View certificate details
openssl x509 -in /etc/letsencrypt/live/yourdomain.com/cert.pem -text -noout

NoteSSL Certificate Monitoring

Consider setting up monitoring to alert you if certificate renewal fails, though Certbot’s automatic renewal is very reliable.

Troubleshooting Common Issues

Domain Not Resolving

If your domain isn’t resolving to your Lightsail instance:

1. Verify DNS records in Lightsail console
2. Check that name servers are correctly set at your registrar
3. Use dig or nslookup to test DNS resolution:

# Test DNS resolution
dig yourdomain.com
nslookup yourdomain.com

SSL Certificate Issues

If Certbot fails to obtain certificates:

1. Ensure your domain is resolving correctly
2. Check that port 80 is accessible (Certbot needs it for verification)
3. Verify Nginx is running and serving your domain

# Check if domain is accessible
curl -I http://yourdomain.com

# Check Nginx status
sudo systemctl status nginx

# View Nginx error logs
sudo tail -f /var/log/nginx/error.log

Mixed Content Warnings

If you see mixed content warnings in the browser:

1. Ensure all resources (CSS, JS, images) are loaded via HTTPS
2. Update any hardcoded HTTP URLs in your application
3. Use protocol-relative URLs (//example.com/resource) when possible

Summary and Key Takeaways

Congratulations! You’ve successfully configured a custom domain and SSL certificate for your Spring Boot application on AWS Lightsail. Your application now has:

✅ Key Accomplishments:

• Custom domain configuration with proper DNS management
• SSL certificate with automatic HTTPS redirect
• Automatic certificate renewal to prevent expiration
• Production-ready HTTPS security headers
• Professional appearance with secure connections

🔒 Security Benefits:

• Encrypted data transmission between users and your server
• Browser trust indicators (lock icon, “Secure” label)
• Protection against man-in-the-middle attacks
• Improved SEO rankings due to HTTPS preference

📈 Next Steps:

• Monitor your SSL certificate status regularly
• Consider implementing additional security headers
• Set up monitoring and alerting for your domain and certificates
• Plan for scaling if your application grows beyond Lightsail’s capacity

Your Spring Boot application is now fully deployed with enterprise-grade security and accessibility. Users can confidently access your application through a professional domain with complete data protection.