Setting-up Pedestal/Jetty with HTTPS

Kieran Owens
Last updated on May 28, 2020 2 min read Blog Post

Introduction

Setting up Pedestal (using Jetty) with HTTPS isn’t that difficult, but it is a bit “fiddly”. Essentially, you’ll need a keystore so that Jetty has access to encryption keys and can encrypt pages sent over HTTPS.

This post only deals with self-signed certificates, but if you want to use commercially-signed certificates it should work too.

Just be aware that Jetty is happiest with the pkcs12 format - I’ve never got it to work satisfactorily using other formats.

Service Map (Pedestal)

In order to run Jetty under Pedestal you’ll need to supply a service map. The following service map works for me. You can change it as you need. The important elements in the current context are where Jetty should look for the keystore (keystore-location), the :ssl? key, the :ssl-port and the :security-provider.

Make sure the provider (Conscrypt) is in your deps.edn file


(def service-map
  (let
    [keystore-location
     (if (System/getenv "KEYSTORE_LOCATION")
       (-> (io/file (System/getenv "KEYSTORE_LOCATION"))
           (.getCanonicalPath))
       "/home/user/security/jetty-keystore")]
    {::http/host "0.0.0.0"
     ::http/allowed-origins
                 {:allowed-origins (fn[_] true)
                  :creds true}
     ::http/routes #(deref #'routes)
     ::http/type   :jetty
     ::http/container-options
     {:context-configurator jetty-websocket-configurator
      :h2c? true
      :h2 true
      :ssl? true
      :ssl-port 8081
      :keystore keystore-location
      :key-password "thepassword"
      :security-provider "Conscrypt"}
     ::http/port 8080}))

Jetty Keystore

In order for Pedestal to start with Jetty, it expects to find a keystore in a particular location (see Service Map notes above).

To create the keystore (I’ve plagiarized/assembled from the following pieces of information web, and I’m afraid I can’t remember the source(s).)

Generate a private site key (site.key)

$ openssl genrsa -des3 -out site.key 2048

Make a copy of site.key and strip the password, so that it can be auto-loaded

$ cp site.key site.orig.key
$ openssl rsa -in site.orig.key -out site.key

Generate a self-signed signing request (site.csr)

$ openssl req -new -key site.key -out site.csr

Generate a self-signed certificate (sitex509.crt - in x509 format for loading into the keystore)

$ openssl req -new -x509 -key site.key -out sitex509.crt

Combine the self-signed certificate (sitex509.crt) and site key (site.key) and export it in pkcs12 format (site.pkcs12)

$ openssl pkcs12 -inkey site.key -in sitex509.crt -export -out site.pkcs12

Rename the keystore (site.pkcs12) to jetty-keystore

and adjust the service-map to use it

Edit this page

clojure pedestal https
Kieran Owens
Kieran Owens
CTO of Timpson Gray

Experienced Technology Leader with a particular interest in the use of functional languages for building accounting systems.

comments powered by Disqus