SSL Certificate Issue with React (Frontend) and Java Spring Boot (Backend) on Raspberry Pi via NGINX

Question

My main question is: can I have HTTPS in the following situation on my raspberryPI...

I'm conducting an experiment deploying a personal application with React for the frontend and Java Spring Boot for the backend. Currently, communication works over HTTP between the frontend and backend, as well as with HTTP requests from tools like PostMan or Insomnia.

However, when attempting to switch to HTTPS, I encounter an SSL certificate error. My backend API is a subdomain with my hosting provider (owt-api.quentingenet.fr), pointing to the public IP of my home modem. This modem then redirects ports to a Raspberry Pi, where an NGINX reverse proxy directs traffic to a Docker container.

I've correctly generated the SSL certificate (self-signed) for NGINX and for my Java Spring Boot API in the Docker container, with proper configuration in the 'application.properties' file. While I can interact with the backend database from the frontend and with tools like PostMan or Insomnia over HTTP, I get an SSL error when sending an HTTPS request.

The logs from my Spring Boot API indicate an SSL-related error. How can I resolve this issue and enable secure communication over HTTPS between my frontend and backend on the Raspberry Pi?

Thank you in advance for any help or suggestions.

My Dockerfile:
FROM alpine:latest

ENV DB_OWT_USERNAME vsdfvdsfvsdvsdv
ENV DB_OWT_PASSWORD vsdfvdsfvsdvsdv
ENV OWT_SERVER_PORT 7777
ENV DB_OWT_URL jdbc:mariadb://vsdfvdsfvsdvsdv:3306
ENV OWT_SECRET vsdfvdsfvsdvsdv
ENV OWT_MAIL_PASSWORD vsdfvdsfvsdvsdv
ENV OWT_USER_ADMIN_EMAIL [email protected]
ENV OWT_USER_ADMIN_PASSWORD vsdfvdsfvsdvsdv
ENV KEYSTORE_PATH keystore.jks

RUN ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime && apk update && apk upgrade && apk add bash && apk add openjdk17-jdk curl

WORKDIR /appOWT

COPY owtAPI.jar keystore.jks /appOWT/

RUN chmod 775 keystore.jks && chmod 775 owtAPI.jar

EXPOSE 7777
VOLUME /appOWT

CMD java -jar owtAPI.jar

My docker compose file:

version: '3'
volumes:
  data:
services:
  owt_db:
    image: mariadb
    environment:
      - MYSQL_ALLOW_EMPTY_PASSWORD=yesyeysyey
      - MYSQL_ROOT_PASSWORD=yesyeysyey
      - MYSQL_DATABASE=yesyeysyey

    volumes:
      - data:/var/lib/mysql
    ports:
      - 3307:3306
    restart: always
  owt_api:
    environment:
      - OWT_SERVER_PORT:7777
      - DB_OWT_URL:jdbc:mariadb://yesyeysyey:3306
      - OWT_SECRET:${OWT_SECRET}
      - OWT_MAIL_PASSWORD:${OWT_MAIL_PASSWORD}
      - OWT_USER_ADMIN_EMAIL:[email protected]
    build:
      context: .
      dockerfile: dockerfile
    depends_on:
      - owt_db
    ports:
      - 7777:7777
    restart: always

Just bellow my config NGINX:

    upstream backend_api_owt {
    server 171.15.0.2:7777;
}

server {
    listen 443 ssl;
    server_name owt-api.quentingenet.fr;

    ssl_certificate /etc/nginx/ssl/certificate.pem;  # Chemin vers votre certificat SSL
    ssl_certificate_key /etc/nginx/ssl/key.pem;  # Chemin vers votre clé privée SSL

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384';

    location ^~ /.well-known/acme-challenge/ {
        allow all;
        default_type "text/plain";
        try_files $uri =404;
    }

    location / {
        include proxy_params;
        proxy_pass https://backend_api_owt;
    }

    include /etc/nginx/proxy_params;
}

My proxy_params file :

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

My error in Postman or Insomnia

    Error: SSL peer certificate or SSH remote key was not OK
    * Preparing request to https://owt-api.quentingenet.fr/login
* Current time is 2023-12-01T08:27:56.881Z
* Enable automatic URL encoding
* Using default HTTP version
* Enable timeout of 30000ms
* Enable SSL validation
*   Trying MY HOME MODEM IP:443...
* Connected to owt-api.quentingenet.fr (MY HOME MODEM IP) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self-signed certificate
* Closing connection 0

My logs in Java Spring boot when i send an HTTPS request

owtapi-owt_api-1  | 2023-12-01 09:27:36.955 DEBUG 1 --- [l-1 housekeeper] com.zaxxer.hikari.pool.HikariPool        : HikariPool-1 - Pool stats (total=10, active=0, idle=10, waiting=0)
owtapi-owt_api-1  | 2023-12-01 09:27:36.956 DEBUG 1 --- [l-1 housekeeper] com.zaxxer.hikari.pool.HikariPool        : HikariPool-1 - Fill pool skipped, pool is at sufficient level.
owtapi-owt_api-1  | 2023-12-01 09:27:43.878 DEBUG 1 --- [alina-utility-2] org.apache.catalina.session.ManagerBase  : Start expire sessions StandardManager at 1701419263878 sessioncount 0
owtapi-owt_api-1  | 2023-12-01 09:27:43.879 DEBUG 1 --- [alina-utility-2] org.apache.catalina.session.ManagerBase  : End expire sessions StandardManager processingTime 1 expired sessions: 0
owtapi-owt_api-1  | 2023-12-01 09:27:53.625 DEBUG 1 --- [o-7777-Acceptor] o.apache.tomcat.util.threads.LimitLatch  : Counting up[https-jsse-nio-7777-Acceptor] latch=1
owtapi-owt_api-1  | 2023-12-01 09:27:53.644 DEBUG 1 --- [nio-7777-exec-1] o.a.tomcat.util.net.SecureNioChannel     : The SNI host name extracted for connection [java.nio.channels.SocketChannel[connected local=/IP_LOCAL _ON_PORT7777 remote=/IP_REMOTE]] was [owt-api.quentingenet.fr]
owtapi-owt_api-1  | 2023-12-01 09:27:53.918 DEBUG 1 --- [nio-7777-exec-1] org.apache.tomcat.util.net.NioEndpoint   : Registered write interest for [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@1c7a00c8:org.apache.tomcat.util.net.SecureNioChannel@34bb8a58:java.nio.channels.SocketChannel[connected local=/IP_LOCAL
 remote=/IP_REMOTE]]
owtapi-owt_api-1  | 2023-12-01 09:27:53.922 DEBUG 1 --- [nio-7777-exec-2] org.apache.tomcat.util.net.NioEndpoint   : Registered write interest for [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@1c7a00c8:org.apache.tomcat.util.net.SecureNioChannel@34bb8a58:java.nio.channels.SocketChannel[connected local=/IP_LOCAL _ON_PORT7777 remote=/IP_REMOTE]]
owtapi-owt_api-1  | 2023-12-01 09:27:53.938 DEBUG 1 --- [nio-7777-exec-4] org.apache.tomcat.util.net.NioEndpoint   : Registered read interest for [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@1c7a00c8:org.apache.tomcat.util.net.SecureNioChannel@34bb8a58:java.nio.channels.SocketChannel[connected local=/IP_LOCAL _ON_PORT7777 remote=/IP_REMOTE]]
owtapi-owt_api-1  | 2023-12-01 09:27:53.971 DEBUG 1 --- [nio-7777-exec-3] o.a.t.util.net.NioEndpoint.handshake     : Handshake failed for client connection from IP address [84.55.162.46] and port [56398]
owtapi-owt_api-1  |
owtapi-owt_api-1  | javax.net.ssl.SSLHandshakeException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)
owtapi-owt_api-1  |     at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[na:na]
owtapi-owt_api-1  |     at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378) ~[na:na]
owtapi-owt_api-1  |     at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321) ~[na:na]
owtapi-owt_api-1  |     at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316) ~[na:na]
owtapi-owt_api-1  |     at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:134) ~[na:na]
owtapi-owt_api-1  |     at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:736) ~[na:na]
owtapi-owt_api-1  |     at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:691) ~[na:na]
owtapi-owt_api-1  |     at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506) ~[na:na]
owtapi-owt_api-1  |     at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482) ~[na:na]
owtapi-owt_api-1  |     at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679) ~[na:na]
owtapi-owt_api-1  |     at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:483) ~[tomcat-embed-core-9.0.65.jar!/:na]
owtapi-owt_api-1  |     at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:215) ~[tomcat-embed-core-9.0.65.jar!/:na]
owtapi-owt_api-1  |     at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1764) ~[tomcat-embed-core-9.0.65.jar!/:na]
owtapi-owt_api-1  |     at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-embed-core-9.0.65.jar!/:na]
owtapi-owt_api-1  |     at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-9.0.65.jar!/:na]
owtapi-owt_api-1  |     at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-9.0.65.jar!/:na]
owtapi-owt_api-1  |     at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-9.0.65.jar!/:na]
owtapi-owt_api-1  |     at java.base/java.lang.Thread.run(Thread.java:840) ~[na:na]
owtapi-owt_api-1  | Caused by: javax.crypto.BadPaddingException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)
owtapi-owt_api-1  |     at java.base/sun.security.ssl.SSLCipher$T13GcmReadCipherGenerator$GcmReadCipher.decrypt(SSLCipher.java:1898) ~[na:na]
owtapi-owt_api-1  |     at java.base/sun.security.ssl.SSLEngineInputRecord.decodeInputRecord(SSLEngineInputRecord.java:239) ~[na:na]
owtapi-owt_api-1  |     at java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:196) ~[na:na]
owtapi-owt_api-1  |     at java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:159) ~[na:na]
owtapi-owt_api-1  |     at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111) ~[na:na]
owtapi-owt_api-1  |     ... 13 common frames omitted
owtapi-owt_api-1  |
owtapi-owt_api-1  | 2023-12-01 09:27:54.139 DEBUG 1 --- [nio-7777-exec-3] org.apache.tomcat.util.http.Parameters   : Set query string encoding to UTF-8
owtapi-owt_api-1  | 2023-12-01 09:27:54.145 DEBUG 1 --- [nio-7777-exec-3] o.apache.coyote.http11.Http11Processor   : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@1c7a00c8:org.apache.tomcat.util.net.SecureNioChannel@34bb8a58:java.nio.channels.SocketChannel[connected local=/IP_LOCAL _ON_PORT7777 remote=/IP_REMOTE]], Status in: [CONNECT_FAIL], State out: [CLOSED]
owtapi-owt_api-1  | 2023-12-01 09:27:54.146 DEBUG 1 --- [nio-7777-exec-3] o.apache.tomcat.util.threads.LimitLatch  : Counting down[https-jsse-nio-7777-exec-3] latch=1
owtapi-owt_api-1  | 2023-12-01 09:27:54.147 DEBUG 1 --- [nio-7777-exec-3] org.apache.tomcat.util.net.NioEndpoint   : Calling [org.apache.tomcat.u

Answer 1

Finally, it is indeed possible! I managed to generate a self-signed certificate with Certbot and I now have HTTPS... For this, I use a Raspberry Pi and particularly a reverse proxy with NGINX which redirects to a Docker container running on my Raspberry Pi at my home for the BACKEND. For the FRONTEND, I have a subdomain at a shared hosting provider that points to my INTERNET BOX which in turn points to my Raspberry Pi at my home, which then redirects the HTTPS traffic to the Docker container.