diff --git a/documentation/spring-boot-docs/src/docs/antora/modules/reference/pages/features/ssl.adoc b/documentation/spring-boot-docs/src/docs/antora/modules/reference/pages/features/ssl.adoc index 938d5be755b9..c3e14b6dcbaa 100644 --- a/documentation/spring-boot-docs/src/docs/antora/modules/reference/pages/features/ssl.adoc +++ b/documentation/spring-boot-docs/src/docs/antora/modules/reference/pages/features/ssl.adoc @@ -181,3 +181,33 @@ A file watcher is then watching the files and if they change, the SSL bundle wil This in turn triggers a reload in the consuming component, e.g. Tomcat rotates the certificates in the SSL enabled connectors. You can configure the quiet period (to make sure that there are no more changes) of the file watcher with the configprop:spring.ssl.bundle.watch.file.quiet-period[] property. + +[[features.ssl.reloading.lets-encrypt]] +=== Reloading SSL Bundles With Let's Encrypt + +If you use certificates issued by https://letsencrypt.org/[Let's Encrypt] and renewed by an external tool, such as https://certbot.eff.org/[Certbot], you can configure a PEM bundle to use the generated files and enable reloading. +Certbot typically stores these in `/etc/letsencrypt/live/` under a directory named after your domain. +The following example shows how to configure a PEM bundle for `example.com`: + +[configprops,yaml] +---- + spring: + ssl: + bundle: + pem: + webserver: + reload-on-update: true + keystore: + certificate: "file:/etc/letsencrypt/live/example.com/fullchain.pem" + private-key: "file:/etc/letsencrypt/live/example.com/privkey.pem" + server: + ssl: + bundle: "webserver" +---- + +Spring Boot does not request or renew Let's Encrypt certificates. +When Certbot or another ACME client updates the configured files, the SSL bundle is reloaded. +Compatible consumers, such as Tomcat and Netty web servers, can then use the updated certificate without restarting the application. + +The files in `/etc/letsencrypt/live` are typically symbolic links to files in `/etc/letsencrypt/archive`. +The file watcher follows symbolic links so that updates to the target files can trigger a reload. diff --git a/module/spring-boot-http-codec/build.gradle b/module/spring-boot-http-codec/build.gradle index eb60c2b976ff..10e6a15fff8d 100644 --- a/module/spring-boot-http-codec/build.gradle +++ b/module/spring-boot-http-codec/build.gradle @@ -30,6 +30,7 @@ dependencies { optional(project(":core:spring-boot-autoconfigure")) optional(project(":core:spring-boot-test")) + optional(project(":module:spring-boot-gson")) optional(project(":module:spring-boot-jackson")) optional(project(":module:spring-boot-jackson2")) optional(project(":module:spring-boot-kotlinx-serialization-json")) diff --git a/module/spring-boot-http-codec/src/test/java/org/springframework/boot/http/codec/autoconfigure/CodecsAutoConfigurationTests.java b/module/spring-boot-http-codec/src/test/java/org/springframework/boot/http/codec/autoconfigure/CodecsAutoConfigurationTests.java index 4e58f4404ad9..6c221bcbd685 100644 --- a/module/spring-boot-http-codec/src/test/java/org/springframework/boot/http/codec/autoconfigure/CodecsAutoConfigurationTests.java +++ b/module/spring-boot-http-codec/src/test/java/org/springframework/boot/http/codec/autoconfigure/CodecsAutoConfigurationTests.java @@ -20,6 +20,7 @@ import java.util.Map; import com.fasterxml.jackson.databind.ObjectMapper; +import com.google.gson.Gson; import kotlinx.serialization.json.Json; import org.junit.jupiter.api.Test; import tools.jackson.databind.json.JsonMapper; @@ -150,7 +151,7 @@ void kotlinSerializationUsesLimitedPredicateWhenOtherJsonConverterIsAvailable() @Test void kotlinSerializationUsesUnrestrictedPredicateWhenNoOtherJsonConverterIsAvailable() { FilteredClassLoader classLoader = new FilteredClassLoader(JsonMapper.class.getPackage().getName(), - ObjectMapper.class.getPackage().getName()); + ObjectMapper.class.getPackage().getName(), Gson.class.getPackage().getName()); this.contextRunner.withClassLoader(classLoader) .withUserConfiguration(KotlinxJsonConfiguration.class) .run((context) -> {