@Chris: https://github.com/rmannibucau/letsencrypt-manager/blob/master/src/main/java/com/github/rmannibucau/letsencrypt/manager/LetsEncryptManager.java ? it is more or less what we have in meecrowave except meecrowave can hotreload whereas this (pre reloadSslHostConfig method) impl does not.
Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <https://rmannibucau.metawerx.net/> | Old Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book <https://www.packtpub.com/application-development/java-ee-8-high-performance> Le jeu. 11 juin 2020 à 19:20, Christopher Schultz < ch...@christopherschultz.net> a écrit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Merlin, > > On 6/10/20 12:32, Merlin Beedell wrote: > > Well thanks Christopher - that presentation link was just what I > > needed (well - it was your presentation after all!). Really good. > > Ideally this could be written into the Tomcat standard > > Documentation, as it will crop up quite a bit. > > > > In summary, 3 steps: > > > > 1. Fetch cert update (requires port 80). > > > > – certbot-auto renew > > > > 2. Reformat for Tomcat usage [might be natively handled in later > > Tomcat releases?] > > > > – openssl pkcs12 -export -in [cert] -inkey [key] -certfile [chain] > > -out [p12file] > > > > 3. Use JMX to flush/reload the SSH Host config (including cipher > > list & protocol level) at runtime. > > > > https://localhost/manager/jmxproxy?invoke=Catalina:type=ProtocolHandle > r,port=8443,address= > <https://localhost/manager/jmxproxy?invoke=Catalina:type=ProtocolHandler,port=8443,address=> > "127.0.0.1"&op=reloadSslHostConfigs > > While > > > "[documentation] patches are always welcome", I don't think I'd > want to put this into the Tomcat user's manual. If we add information > about Let's Encrypt, why not DigiCert? VeriSign? GoDaddy? WhoeeverElseCA > ? > > I could see this being something useful in the Tomcat Wiki. > > At least one person who has seen my presentation has said "we, I was > hoping there was just a letsencrypt='true' configuration flag". I like > the outside-in approach certbot takes with their Apache plugins, > rather than an inside-out approach where the server actually has a > plug-in for let's encrypt (or similar). > > Romain @ TomEE has written a WAR file that implements this inside-out > approach as a generic ACME servlet (context listener?), but I can't > seem to find his code anywhere... > > - -chris > > > -----Original Message----- > > > > From: Christopher Schultz <ch...@christopherschultz.net> > > > > Sent: 08 June 2020 9:14 PM > > > > To: Tomcat Developers List <dev@tomcat.apache.org>; Merlin Beedell > > <mbeed...@cryoserver.com> > > > > Subject: Re: Support for LetsEncrypt certs, and update process, in > > Tomcat without restart. > > > > > > > > Hash: SHA256 > > > > > > > > Merlin, > > > > > > > > On 6/8/20 10:17, Merlin Beedell wrote: > > > >> I am getting a lot of flack from some senior devs who insist > >> that > > > >> Tomcat must be put behind a Proxy – HA Proxy or Nginx, which > >> will > > > >> handle the SSL offloading etc. > > > > > > > >> While this seems sensible for multi-server environments, they > >> want it > > > >> for single server too. But Tomcat can do all the things that > >> are > > > >> required: > > > > > > > >> * Certificate handling. * TLS level and Cipher restrictions * > >> CORS > > > >> handling (though this could be simpler!) > > > > > > > >> But now with the requirement for LetsEncrypt certificates, we > >> find > > > >> that Tomcat has to be restarted every 3 months. Indeed – any > >> changes > > > >> to the above require tomcat restarts – and that is found to be > > > >> unacceptable. > > > > > > > > Nonsense. > > > > > > > > http://tomcat.apache.org/presentations.html#latest-lets-encrypt > > > > > > > > Updating CORS configuration may require a redeployment of your web > > application, but it does not require Tomcat to be shut-down. > > > > > > > > There are other reasons to use a reverse proxy in front of Tomcat, > > but none of the above are good reasons. > > > > > > > >> So what I really want to understand is if Tomcat has any plans > >> to > > > >> include the ability to restart an https connector WITHOUT needing > >> to > > > >> restart the whole of Tomcat. Better still, a hook that would > >> help > > > >> refresh certificates – like LetsEncrypt. > > > > > > > > > > https://stackoverflow.com/questions/43571572/programmatically-update-c > ertificates-in-tomcat-8-without-server-restart > <https://stackoverflow.com/questions/43571572/programmatically-update-certificates-in-tomcat-8-without-server-restart> > > > > > > > > > > > > > > There > > > > > > > > are no currently-correct answers to that question. > > > > > > > > I can fix that. > > > > > > > > -chris > > > > > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7iZ88ACgkQHPApP6U8 > pFiMOQ//XsUcdESt//fApST4TGad+KpkTX964+jhgqaC0uprpTpd/GRpo81yxupI > oRbQ/UVwZHOWglClZCQoL8fbFYSCcizAIWhJqmMiTMshx6sYXIINC478zcO/B7VY > V8i+DpT0mdi3jYwc59lZD4e/P/v9jJJjGAuS6YrlrHjdAt5IcEJ5+2JG3HaGnhzp > ALYbq0OaQfM0jTnDymIHuXmuoAZbhon0+4tYAO/hHIbMJE+xvgeud3qRJXNhjpIv > YjWfQ06zNAuuOMvUtYjN8ONAUAl8FR5rOcC0lT6nMK1EpIglmtqcu3CIuXxtEu3M > zEkOSWDVqziN00lmcaoZ2GqYYOPS0+GH+OfcM489X731bZDJR9VUlepFBaYM21X6 > BAsdmT2U6yvpEw/wOyuRMbo50toMLc1eULeAPgsCudNaWWA2T7AUaxpYbzw8jt4t > oIZhIGsEEHySWzxO7e17Puq/Z9zWC0T9+vFIfL19n1EDC+8UuhPOBnZ7Vvgu1GHn > wdHG26+Rc9NPUnkY5L2AG33itBD/lvo53HRryFHxzgbw1n0KdxethczsBarzdKGl > 7W0GUkYZi4aSxcdcOHcs0Brcnv7RwWEU2FcI96BHoVn80TW8qUuE83Dfr6py2gzR > EP2dqd7JiGpTrDZZdIBkcoQ5B4/z/39KuyZkeYPNPp85gcPdayI= > =5mUH > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
