I am getting a lot of flack from some senior devs who insist that Tomcat must be put behind a Proxy - HA Proxy or Nginx, which will handle the SSL offloading etc. While this seems sensible for multi-server environments, they want it for single server too. But Tomcat can do all the things that are required:
* Certificate handling. * TLS level and Cipher restrictions * CORS handling (though this could be simpler!) But now with the requirement for LetsEncrypt certificates, we find that Tomcat has to be restarted every 3 months. Indeed - any changes to the above require tomcat restarts - and that is found to be unacceptable. So what I really want to understand is if Tomcat has any plans to include the ability to restart an https connector WITHOUT needing to restart the whole of Tomcat. Better still, a hook that would help refresh certificates - like LetsEncrypt. https://stackoverflow.com/questions/43571572/programmatically-update-certificates-in-tomcat-8-without-server-restart Merlin Beedell