Hi Merlin, you can reload the certificates already (think it is in JMX but you can also do it programmatically through a listener or valve - which is convenient to handle the let's encrypt public part), you can have a look to https://github.com/apache/openwebbeans-meecrowave/blob/master/meecrowave-letsencrypt/src/main/java/org/apache/meecrowave/letencrypt/LetsEncryptReloadLifecycle.java#L155 for an impl.
Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <https://rmannibucau.metawerx.net/> | Old Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book <https://www.packtpub.com/application-development/java-ee-8-high-performance> Le lun. 8 juin 2020 à 16:17, Merlin Beedell <mbeed...@cryoserver.com> a écrit : > I am getting a lot of flack from some senior devs who insist that Tomcat > must be put behind a Proxy – HA Proxy or Nginx, which will handle the SSL > offloading etc. > > While this seems sensible for multi-server environments, they want it for > single server too. But Tomcat can do all the things that are required: > > - Certificate handling. > - TLS level and Cipher restrictions > - CORS handling (though this could be simpler!) > > But now with the requirement for LetsEncrypt certificates, we find that > Tomcat has to be restarted every 3 months. Indeed – any changes to the > above require tomcat restarts – and that is found to be unacceptable. > > > > So what I really want to understand is if Tomcat has any plans to include > the ability to restart an https connector WITHOUT needing to restart the > whole of Tomcat. Better still, a hook that would help refresh certificates > – like LetsEncrypt. > > > https://stackoverflow.com/questions/43571572/programmatically-update-certificates-in-tomcat-8-without-server-restart > > > > Merlin Beedell > > >