Skip to content

Commit ad80372

Browse files
committed
docs: Document HTTPS support in README
1 parent f75476f commit ad80372

2 files changed

Lines changed: 63 additions & 4 deletions

File tree

README.md

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ endpoints declared in an OpenAPI 3.1.x specification. Handlers are pure function
2020
- [JSON mapping](#json-mapping)
2121
- [Body parsers and response writers](#body-parsers-and-response-writers)
2222
- [Server configuration](#server-configuration)
23+
- [HTTPS](#https)
2324
- [Interceptors and response decorators](#interceptors-and-response-decorators)
2425
- [After-response hooks](#after-response-hooks)
2526
- [Security](#security)
@@ -326,6 +327,64 @@ OpenApiServer.builder()
326327
.build();
327328
```
328329

330+
### HTTPS
331+
332+
Point the builder at a PEM certificate chain and a PEM PKCS#8 private key:
333+
334+
```java
335+
import java.nio.file.Path;
336+
337+
var server = OpenApiServer.builder()
338+
.spec(spec)
339+
.handlers(handlers)
340+
.https(
341+
Path.of("/etc/letsencrypt/live/example.com/fullchain.pem"),
342+
Path.of("/etc/letsencrypt/live/example.com/privkey.pem"))
343+
.build();
344+
```
345+
346+
certbot / Let's Encrypt write exactly these two files to
347+
`/etc/letsencrypt/live/<domain>/`: `fullchain.pem` (your certificate + the
348+
issuing intermediates, concatenated PEM) and `privkey.pem` (unencrypted PKCS#8).
349+
No conversion to PKCS12 / JKS is needed; the library parses the PEM directly
350+
using JDK APIs only.
351+
352+
Both RSA and EC (P-256) private keys are accepted; the algorithm is detected
353+
automatically.
354+
355+
When `.https(...)` is set, the default port changes from `8080` to `8443`.
356+
`port(int)` still overrides explicitly:
357+
358+
```java
359+
OpenApiServer.builder()
360+
.spec(spec)
361+
.handlers(handlers)
362+
.https(certChain, privateKey)
363+
.port(443) // overrides the 8443 default
364+
.build();
365+
```
366+
367+
For local development without a real certificate, generate a self-signed pair
368+
with one openssl command:
369+
370+
```bash
371+
openssl req -x509 -newkey rsa:2048 -nodes -days 365 \
372+
-keyout privkey.pem -out fullchain.pem \
373+
-subj "/CN=localhost" \
374+
-addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
375+
```
376+
377+
Clients (browsers, `curl`, `HttpClient`) need to trust the resulting certificate
378+
explicitly — it isn't signed by a public CA.
379+
380+
**Not in this release** (each can land later without breaking the API):
381+
382+
- Encrypted / password-protected private keys
383+
- PKCS12 / JKS keystore inputs
384+
- Certificate hot-reload on renewal (restart the process after `certbot renew`)
385+
- TLS protocol / cipher overrides (JDK defaults apply: TLS 1.2 and 1.3)
386+
- Serving HTTP and HTTPS from one `OpenApiServer` instance
387+
329388
### Graceful shutdown
330389

331390
`OpenApiServer` exposes `stop(int delaySeconds)` for explicit shutdown that waits up to the given

docs/superpowers/plans/2026-05-21-https-support.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -779,7 +779,7 @@ SKIP=commitlint git commit -m "feat: Enable HTTPS via Builder.https(certChain, p
779779

780780
- Modify: `README.md`
781781

782-
- [ ] **Step 1: Add the table-of-contents entry**
782+
- [x] **Step 1: Add the table-of-contents entry**
783783

784784
In the `## Table of contents` block, under `## Server configuration`, change:
785785

@@ -796,7 +796,7 @@ to add a nested HTTPS link (mirroring the existing nesting style if present, oth
796796

797797
Confirm the existing TOC's indentation style first by reading the top of `README.md`; match it.
798798
799-
- [ ] **Step 2: Add the HTTPS subsection**
799+
- [x] **Step 2: Add the HTTPS subsection**
800800
801801
In `README.md`, find the existing `### Graceful shutdown` heading inside `## Server configuration`. Immediately *before* it, insert:
802802
@@ -860,15 +860,15 @@ explicitly — it isn't signed by a public CA.
860860
- Serving HTTP and HTTPS from one `OpenApiServer` instance
861861
````
862862
863-
- [ ] **Step 3: Verify the README renders the new section**
863+
- [x] **Step 3: Verify the README renders the new section**
864864
865865
```bash
866866
grep -n "^### HTTPS$" README.md
867867
```
868868
869869
Expected: one line, between the `### Bind address` and `### Graceful shutdown` headings inside `## Server configuration`.
870870
871-
- [ ] **Step 4: Commit**
871+
- [x] **Step 4: Commit**
872872
873873
```bash
874874
git add README.md

0 commit comments

Comments
 (0)