Well thanks Christopher - that presentation link was just what I needed (well - it was your presentation after all!). Really good. Ideally this could be written into the Tomcat standard Documentation, as it will crop up quite a bit.
In summary, 3 steps: 1. Fetch cert update (requires port 80). - certbot-auto renew 1. Reformat for Tomcat usage [might be natively handled in later Tomcat releases?] - openssl pkcs12 -export -in [cert] -inkey [key] -certfile [chain] -out [p12file] 1. Use JMX to flush/reload the SSH Host config (including cipher list & protocol level) at runtime. - https://localhost/manager/jmxproxy?invoke=Catalina:type=ProtocolHandler,port=8443,address="127.0.0.1"&op=reloadSslHostConfigs Merlin Beedell -----Original Message----- From: Christopher Schultz <ch...@christopherschultz.net> Sent: 08 June 2020 9:14 PM To: Tomcat Developers List <dev@tomcat.apache.org>; Merlin Beedell <mbeed...@cryoserver.com> Subject: Re: Support for LetsEncrypt certs, and update process, in Tomcat without restart. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Merlin, On 6/8/20 10:17, Merlin Beedell wrote: > I am getting a lot of flack from some senior devs who insist that > Tomcat must be put behind a Proxy - HA Proxy or Nginx, which will > handle the SSL offloading etc. > > While this seems sensible for multi-server environments, they want it > for single server too. But Tomcat can do all the things that are > required: > > * Certificate handling. * TLS level and Cipher restrictions * CORS > handling (though this could be simpler!) > > But now with the requirement for LetsEncrypt certificates, we find > that Tomcat has to be restarted every 3 months. Indeed - any changes > to the above require tomcat restarts - and that is found to be > unacceptable. Nonsense. http://tomcat.apache.org/presentations.html#latest-lets-encrypt Updating CORS configuration may require a redeployment of your web application, but it does not require Tomcat to be shut-down. There are other reasons to use a reverse proxy in front of Tomcat, but none of the above are good reasons. > So what I really want to understand is if Tomcat has any plans to > include the ability to restart an https connector WITHOUT needing to > restart the whole of Tomcat. Better still, a hook that would help > refresh certificates - like LetsEncrypt. > > https://stackoverflow.com/questions/43571572/programmatically-update-certificates-in-tomcat-8-without-server-restart There > are no currently-correct answers to that question. I can fix that. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7em/oACgkQHPApP6U8 pFiuqw//SfBmQ4eMhXUw0WkiQ5Fe9dJIa724h0wv60ghJQK80n9cu7CdcB9om9R4 w4tbhvxkBCc/ENBQP2gfszRwT8Y7EleyDTY09OKaQ1aiqgnWaE4hj2Srmoi/kUFi LAbgNm/vpHzTS/ozp3+T/vD8GtLHc1UXDnsKY3zzMc8CFgRo10YDyAMJoC8S4SGe 1Ji4NF1uY2aqeY7LPBMDU1IrQTK4EW2SNFV9JSyEjsPBB8yKCzvGdCJRPvJih/mg ZsTI6w/X2cldSbVvpAUh5hOUglo8+5BqN2W1aOKttwxbds/KbckQg5vOHs4+sCPk M6ngE0sYggz2JsF/IZQ9PtMDtuZdKxmCWsXwbTw7G5qpjv6RWQW2GtMl52d1qabO Xna7npVd1kiGOvA/uuNPxI7Z3qOhYiCs78JCG6oaUQejqywgvKO4HyibNlFJD1F+ P3S/SLuxQB7uhC5CuY3wKXckJEbGbL7D04wkCY90N1q5PQO0oy5j/jyS3y6cDmHw SZNuH3Gvc7WUE8xbJNx5W8fP9m5mpwAJ0lwcCgqN8zqUEqbbE4imrMOrVxjmqPiT V/jySH8D0ckk+jyQ8gADmId8vGF5KrQCrfTwxjpLhxSuEZ+cB3d7tsOCCI6Xw9o1 ShMM500fXsMgHkrhyqg7gG6Pf7zVutqhgOBkUZUntFkuMEB38Ow= =O9u2 -----END PGP SIGNATURE-----
