Dropwizard and SSL

Dropwizard can quickly start up a web server with little configuration required. The default server implementation uses http, running on port 8080 by default. But what if you want users to log into your web application? Dropwizard provides moderately useful documentation on setting up authenticators, but you should also update your server to run over SSL to do things safely.

Generating the Self-Signed Certificate

The first thing you’ll need is a certificate. For getting up and running, an easy option is to create a self-signed certificate using the Java keytool.

  1. Create a folder (I’ll alias as ) within your application to hold your certificate and local keystore.
  2. Go to that folder, and run the following to create a self-signed entry in the keystore.jks. The alias selfsigned can be anything you want, but I’ll continue to reference it as selfsigned. The default password for these keystores is changeit, so I’ll leave it as that when I reference the keystore password.
    $ keytool -genkey -alias selfsigned -keyalg RSA -keystore keystore.jks -keysize 2048.
  3. Next, export the certificate to selfsigned.crt with:
    $ keytool -export -alias selfsigned -file selfsigned.crt -keystore keystore.jks
  4. Import that certificate into your cacerts, the default Java keystore. You may need to do this as root, or with sudo. Go to the /jre/lib/security directory, and run:
    $ keytool -import -trustcacerts -alias selfsigned -file <path_to_java>/selfsigned.crt -keystore cacerts

Now, you have a certificate, a correlating entry in an application keystore, and in the Java keystore. If you need to run the application from another machine, you’ll need to repeat step 4.

Dropwizard Configuration

The yaml config will look something like this:

connector:
  type: https
  port: 8443
  keyStorePath: <SSL_FOLDER>/keystore.jks
  keyStorePassword: changeit
  trustStorePath: <path_to_java>/jre/lib/security/cacerts
  certAlias: selfsigned

Note: the trustStorePath is for Mac. If you use something else, it’ll be based on your OS!

The keyStorePath points to your application keystore, and the trustStorePath points to the Java default keystore.

When you run your server, it will now require https and port 8443 to access it. Super easy, but the road was rocky. Here are some common issues I faced while getting this running.

Errors Faced

Using the Java default keystore, cacerts, as the keyStorePath, throws this error during Dropwizard startup:

java.lang.IllegalStateException: Unable to retrieve certificate chain

Having the wrong password for the keystore will throw this error:

java.io.IOException: Keystore was tampered with, or password was incorrect

Without the trustStorePath set, you will give an error along the lines of:

java.security.cert.CertificateException: Unable to validate certificate: the trustAnchors parameter must be non-empty

More Info

Check out the reference manual for more configuration parameters.

UPDATE

I’ve updated to Dropwizard 0.8.2 and want to point out the server definition has changed slightly from above.

server:
  applicationConnectors:
  - keyStorePassword: changeit
    keyStorePath: keystore.jks
    type: https
    port: 8443
    validateCerts: false

10 thoughts on “Dropwizard and SSL

  1. Ammad Naseer

    How should the YML connector section look if i use a CA signed certificate. Also can i use the same certificate that i am using for the web front end nginx.

  2. Himanshu Shrivansh

    Hello, I am unable to read system variables $JAVA_HOME or $SSH_FOLDER from configuration yaml file. Did you used additional dropwizard plugin for that ? (if yes, can you provide me the name)

    1. benkn Post author

      Hi, those are environment variables set in your bash profile or Windows environment. They are shortcuts to the location of Java and the keys folder.

      1. Himanshu Shrivansh

        Yes Benkn, you are right. (BTW thanks for a very helpful article)

        But we cannot directly refer (using $) those environment variables in configuration.yml files. We either need to provide complete path or to use any plugin to read environment variable something like $env:JAVA_HOME etc.

        My question is that, are you or anyone from our post is aware of any such plugin to help me to provide environment variable access in configuration.yml file.

  3. Sanchit

    Hi,
    I face the error: java.lang.IllegalStateException: Unable to retrieve certificate chain
    I have got my certificate issued from GoDaddy.
    My yml file looks like this:
    server:
    applicationConnectors:
    – type: http
    port: 8080
    – type: https
    port: 8443
    keyStorePath: ./keystore/myKeyStore.jks
    keyStorePassword: “myPassword”
    trustStorePath: “C:/Program Files/Java/jre1.8.0_65/lib/security/cacerts”
    certAlias: “myAlias”

    I have also asked about my problem here:
    http://stackoverflow.com/questions/35002780/setting-up-ssl-in-dropwizard

    Request you to please take a look there for details.

    Thanks! 🙂

    1. benkn Post author

      Thank you for your question. I see in StackOverflow that you found your answer – updating `validatePeers` to false. I will also provide an edit for updated version of Dropwizard.

  4. Liam Smith

    Thanks very much for this guide. Being new to both DropWizard and SSL, this has been invaluable.

    One thing that is confusing me is that we’ve been asked to have public and private keys, and import the private key into the keystore, and only publish the public key to clients wishing to connect.

    How would your instructions differ in this scenario?

  5. Rahul

    I followed your steps but I’m getting : no valid keystore exception.

    I’m generating a jar with the keystore and then deploying in AWS.
    Can you please elaborate step 4.

Comments are closed.