-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Merlin,
On 6/10/20 12:32, Merlin Beedell wrote: > Well thanks Christopher - that presentation link was just what I > needed (well - it was your presentation after all!). Really good. > Ideally this could be written into the Tomcat standard > Documentation, as it will crop up quite a bit. > > In summary, 3 steps: > > 1. Fetch cert update (requires port 80). > > – certbot-auto renew > > 2. Reformat for Tomcat usage [might be natively handled in later > Tomcat releases?] > > – openssl pkcs12 -export -in [cert] -inkey [key] -certfile [chain] > -out [p12file] > > 3. Use JMX to flush/reload the SSH Host config (including cipher > list & protocol level) at runtime. > > https://localhost/manager/jmxproxy?invoke=Catalina:type=ProtocolHandle r,port=8443,address="127.0.0.1"&op=reloadSslHostConfigs While > "[documentation] patches are always welcome", I don't think I'd want to put this into the Tomcat user's manual. If we add information about Let's Encrypt, why not DigiCert? VeriSign? GoDaddy? WhoeeverElseCA ? I could see this being something useful in the Tomcat Wiki. At least one person who has seen my presentation has said "we, I was hoping there was just a letsencrypt='true' configuration flag". I like the outside-in approach certbot takes with their Apache plugins, rather than an inside-out approach where the server actually has a plug-in for let's encrypt (or similar). Romain @ TomEE has written a WAR file that implements this inside-out approach as a generic ACME servlet (context listener?), but I can't seem to find his code anywhere... - -chris > -----Original Message----- > > From: Christopher Schultz <ch...@christopherschultz.net> > > Sent: 08 June 2020 9:14 PM > > To: Tomcat Developers List <dev@tomcat.apache.org>; Merlin Beedell > <mbeed...@cryoserver.com> > > Subject: Re: Support for LetsEncrypt certs, and update process, in > Tomcat without restart. > > > > Hash: SHA256 > > > > Merlin, > > > > On 6/8/20 10:17, Merlin Beedell wrote: > >> I am getting a lot of flack from some senior devs who insist >> that > >> Tomcat must be put behind a Proxy – HA Proxy or Nginx, which >> will > >> handle the SSL offloading etc. > > > >> While this seems sensible for multi-server environments, they >> want it > >> for single server too. But Tomcat can do all the things that >> are > >> required: > > > >> * Certificate handling. * TLS level and Cipher restrictions * >> CORS > >> handling (though this could be simpler!) > > > >> But now with the requirement for LetsEncrypt certificates, we >> find > >> that Tomcat has to be restarted every 3 months. Indeed – any >> changes > >> to the above require tomcat restarts – and that is found to be > >> unacceptable. > > > > Nonsense. > > > > http://tomcat.apache.org/presentations.html#latest-lets-encrypt > > > > Updating CORS configuration may require a redeployment of your web > application, but it does not require Tomcat to be shut-down. > > > > There are other reasons to use a reverse proxy in front of Tomcat, > but none of the above are good reasons. > > > >> So what I really want to understand is if Tomcat has any plans >> to > >> include the ability to restart an https connector WITHOUT needing >> to > >> restart the whole of Tomcat. Better still, a hook that would >> help > >> refresh certificates – like LetsEncrypt. > > > > > https://stackoverflow.com/questions/43571572/programmatically-update-c ertificates-in-tomcat-8-without-server-restart > > > > > > > There > > > > are no currently-correct answers to that question. > > > > I can fix that. > > > > -chris > > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7iZ88ACgkQHPApP6U8 pFiMOQ//XsUcdESt//fApST4TGad+KpkTX964+jhgqaC0uprpTpd/GRpo81yxupI oRbQ/UVwZHOWglClZCQoL8fbFYSCcizAIWhJqmMiTMshx6sYXIINC478zcO/B7VY V8i+DpT0mdi3jYwc59lZD4e/P/v9jJJjGAuS6YrlrHjdAt5IcEJ5+2JG3HaGnhzp ALYbq0OaQfM0jTnDymIHuXmuoAZbhon0+4tYAO/hHIbMJE+xvgeud3qRJXNhjpIv YjWfQ06zNAuuOMvUtYjN8ONAUAl8FR5rOcC0lT6nMK1EpIglmtqcu3CIuXxtEu3M zEkOSWDVqziN00lmcaoZ2GqYYOPS0+GH+OfcM489X731bZDJR9VUlepFBaYM21X6 BAsdmT2U6yvpEw/wOyuRMbo50toMLc1eULeAPgsCudNaWWA2T7AUaxpYbzw8jt4t oIZhIGsEEHySWzxO7e17Puq/Z9zWC0T9+vFIfL19n1EDC+8UuhPOBnZ7Vvgu1GHn wdHG26+Rc9NPUnkY5L2AG33itBD/lvo53HRryFHxzgbw1n0KdxethczsBarzdKGl 7W0GUkYZi4aSxcdcOHcs0Brcnv7RwWEU2FcI96BHoVn80TW8qUuE83Dfr6py2gzR EP2dqd7JiGpTrDZZdIBkcoQ5B4/z/39KuyZkeYPNPp85gcPdayI= =5mUH -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org