Le mer. 23 déc. 2020 à 17:24, Mladen Adamović <mladen.adamo...@gmail.com> a écrit :
> On Wed, Dec 23, 2020 at 4:44 PM Romain Manni-Bucau <rmannibu...@gmail.com> > wrote: > > > 1. Usage, typically if you run in kubernetes or any managed instance env > > then you don't care and will restart the instance (with graceful > shutdown) > > when needed > > > > This is outside of my scope. > > > > 2. There are several tomcat instances out there using certbot (my blog > is a > > tomee with certbot on for example) so can also be a lack of doc/knowledge > > > > That's well known before in the conversation, i.e. I'm running Tomcat with > SSL on numbeo.com as documented here: > > https://mladenadamovic.wordpress.com/2016/09/06/configure-tomcat-with-ssl-on-ubuntu-minimal/ > > Was just answering your point that user complains. It works, that's a fact. If (once hopefully) we get a tomcat-letsencrypt module we'll get issues that it does not work for some people. This is always the case each time you create something new so real point is can we make it better. Being embed we can refresh when needed instead of randomly so I think we can make it better, but it already works and it will not solve the entry cost users have I think. > > > 3. I agree a built in module enables an easier deployment (just a valve > to > > configure with a few attributes) and everything else works OOTB but you > > don't need any modification in tomcat distribution to do that - was my > main > > point, all can be done in a new module without modifying tomcat internals > > for a particular deployment > > > > But adding a Valve or a Servlet would mean modifying Tomcat internals? > No, it means implementing a Valve. We don't modify tomcat internals each time we implement a servlet and it is ~the same there ;). > > > > > 4. In several cases tomcat will not have the SSL config but a frontend > > (httpd, nginx, ...) will do it so tomcat integration will not help there > > > > Those suckers ;-) > Joke apart, they have their usage and in such a setup one big gain is to reduce the number of requests to let's encrypt (compared to a backend with hundreds of instances, the front will likely just get ~10 instances) and have a different lifecycle than the app. > > > > > > > > This is why, for me, a tomcat-letsencrypt module is the most relevant > > solution. > > If owned by Tomcat project perfect (this is the best IMHO), if not it > will > > still cover the same features so still good. > > > > Hope it makes sense. > > > > > > > > > > > > > > > > > > > > Do you see anything else which would need to change? The reloadSSL > > method > > > > was added for letsencrypt already so guess this adjustment work is > > > already > > > > done. > > > > > > > > > There are currently two options, through manager or through service > > > restart. It seems that there is no consensus here to add the 3th > option. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Dec 23, 2020 at 2:01 PM Romain Manni-Bucau < > > > > rmannibu...@gmail.com> > > > > > wrote: > > > > > > > > > > > Le mer. 23 déc. 2020 à 12:50, Mladen Adamović < > > > > mladen.adamo...@gmail.com > > > > > > > > > > > > a > > > > > > écrit : > > > > > > > > > > > > > On Wed, Dec 23, 2020 at 12:12 PM Romain Manni-Bucau < > > > > > > rmannibu...@gmail.com > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > I don't think so, this connector auth is only used in very > > > > particular > > > > > > > cases > > > > > > > > (= never ;)): HTTP2 - we don't care, AJP - we don't care > much. > > It > > > > is > > > > > > > also a > > > > > > > > kind of automatic authorization - no password or so - so will > > > pass > > > > > and > > > > > > > not > > > > > > > > fail. > > > > > > > > > > > > > > > > > > > > > > That sounds very strange, as I have seen in the code: > > > > > > > if (req.getRemoteUserNeedsAuthorization()) { > > > > > > > ... > > > > > > > } else if (!(authenticator instanceof > > > > > > AuthenticatorBase)) { > > > > > > > ... > > > > > > > } > > > > > > > > > > > > > > public class SSLAuthenticator extends AuthenticatorBase { > > > > > > > > > > > > > > > > > > > > Sure but check what makes remoteUserNeedsAuthorization true > (http2 > > > and > > > > > ajp) > > > > > > and what does the block when true (authenticate(username), no > > > password > > > > or > > > > > > so). > > > > > > So not an issue IMHO. > > > > > > > > > > > > > > > > > > > > > > > > > > My point was if you have some security contraint (JWT, basic, > > > etc...) > > > > > on > > > > > > > > /*, then your servlet will not be called for letsencrypt call > > > > whereas > > > > > > if > > > > > > > > you have a valve you can still handle it properly since you > > > didn't > > > > > > enter > > > > > > > > the secured chain - a valve is before filter chain and can be > > > > before > > > > > > > > authenticators in valve chain since authenticators - > > > > > AuthenticatorBase > > > > > > - > > > > > > > > are valves. > > > > > > > > > > > > > > > > > > > > > > Authenticator Valve's seems to me to have a different treatment > > > than > > > > > > other > > > > > > > Valves which are accessed through Pipeline. > > > > > > > > > > > > > > > > > > > This is true since it can be obtained from the context and its > call > > > can > > > > > be > > > > > > forced, but here again the question is when. > > > > > > If you check callers then it shouldn't be the case until you add > > > > another > > > > > > valve doing it and if so you can still set the LetsEncryptValve > > > before > > > > > and > > > > > > bypass it - can even be set on the host and not the context. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > In other words: no code change required in tomcat internals. > > > > > > > > > > > > > > > > > > > > > > I don't understand this yet. If the implementation would use > > > > > serverl.xml > > > > > > to > > > > > > > change StandardContextValve to something else? > > > > > > > > > > > > > > > > > > > No, change nothing, just add a valve on the host for example > > through > > > > > <Valve > > > > > > className.... /> tag. > > > > > > > > > > > > > > > > > > > > > > > > > > I've tried to figure out what are you doing in meecrowave and > my > > > IDE > > > > > > > (Netbeans) shows me Usage of LetsEncryptValve [no occurrences] > > > > > > > > > > > > > > > > > > > Maybe use another IDE ;) (joking ;)): > > > > > > > > > > > > > > > > > > > > > > > > > > > https://github.com/apache/openwebbeans-meecrowave/blob/433a691b246f9eeda2273e794ddbb7970691cc5f/meecrowave-letsencrypt/src/main/java/org/apache/meecrowave/letencrypt/LetsEncryptSetup.java#L44 > > > > > > The MeecrowaveAwareInstanceCustomizer instance enables to "code" > > the > > > > > > server.xml but it is equivalent to previous proposal (<Valve/>). > > > > > > > > > > > > > > > > > > > > > > > > > > How this LetsEncryptValve is actually "injected" into > meecrowave > > > > > > Pipeline ? > > > > > > > Or how it is used internally? > > > > > > > I didn't see any Reflection code on Valves or Valve base by > > > searching > > > > > > > source code. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Romain Manni-Bucau > > > > > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > > > > > > > <https://rmannibucau.metawerx.net/> | Old Blog > > > > > > > > <http://rmannibucau.wordpress.com> | Github < > > > > > > > > https://github.com/rmannibucau> | > > > > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book > > > > > > > > < > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://www.packtpub.com/application-development/java-ee-8-high-performance > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Le mer. 23 déc. 2020 à 11:23, Mladen Adamović < > > > > > > mladen.adamo...@gmail.com > > > > > > > > > > > > > > > > a > > > > > > > > écrit : > > > > > > > > > > > > > > > > > Thank you Romain, do you then think the place to check for > > ACME > > > > > Valve > > > > > > > (if > > > > > > > > > that would the be appropriate naming) would be in > > > > > > > > > CoyoteAdapter.postParseRequest line 814 > > > > > > > > > before doConnectorAuthenticationAuthorization(...) ? > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Dec 23, 2020 at 9:22 AM Romain Manni-Bucau < > > > > > > > > rmannibu...@gmail.com> > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > Side note: using a servlet generally does not work if you > > > have > > > > > any > > > > > > > > > security > > > > > > > > > > on the webapp + requires a webapp whereas using a valve > > > solves > > > > > > these > > > > > > > > two > > > > > > > > > > issues. > > > > > > > > > > > > > > > > > > > > Romain Manni-Bucau > > > > > > > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > > > > > > > > > <https://rmannibucau.metawerx.net/> | Old Blog > > > > > > > > > > <http://rmannibucau.wordpress.com> | Github < > > > > > > > > > > https://github.com/rmannibucau> | > > > > > > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | > Book > > > > > > > > > > < > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://www.packtpub.com/application-development/java-ee-8-high-performance > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Le mer. 23 déc. 2020 à 09:15, Mladen Adamović < > > > > > > > > mladen.adamo...@gmail.com > > > > > > > > > > > > > > > > > > > > a > > > > > > > > > > écrit : > > > > > > > > > > > > > > > > > > > > > As I haven't received more replies on this topic, I'm > > > > guessing > > > > > > > > project > > > > > > > > > > > maintainers are not interested in reviewing and > including > > > the > > > > > > code > > > > > > > > for > > > > > > > > > > > simpler Letsencrypt integration and discussing the > > > mentioned > > > > > SSL > > > > > > > > > > > documentation improvements? > > > > > > > > > > > > > > > > > > > > > > Enabling AMCE response servlet (good idea by default) > > would > > > > be > > > > > a > > > > > > > good > > > > > > > > > > step > > > > > > > > > > > in my opinion? > > > > > > > > > > > > > > > > > > > > > > My procedure is explained here: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://mladenadamovic.wordpress.com/2016/09/06/configure-tomcat-with-ssl-on-ubuntu-minimal/ > > > > > > > > > > > and the step "Configure HTTP redirect application with > > > > support > > > > > to > > > > > > > > ACME > > > > > > > > > > > challenge" could be integrated into Tomcat easily. > > > > > > > > > > > > > > > > > > > > > > In the case that is integrated, I can write a new > > improved > > > > > > > > > > > tutorial/process. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Sat, Dec 19, 2020 at 11:09 PM Mladen Adamović < > > > > > > > > > > > mladen.adamo...@gmail.com> > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > On Sat, Dec 19, 2020 at 6:30 PM Romain Manni-Bucau < > > > > > > > > > > > rmannibu...@gmail.com> > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > >> It moves the problem elsewhere, how would the CLI > > > > > communicate > > > > > > > with > > > > > > > > > > > tomcat? > > > > > > > > > > > >> JMX, HTTP uses a port, a file based communication > > would > > > be > > > > > > > > probably > > > > > > > > > > > worse > > > > > > > > > > > >> because of perms and other admin issues (and just > not > > > > > working > > > > > > in > > > > > > > > > k8s). > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > I don't see other sane ways actually. So it seems a > > > > web-based > > > > > > > > manager > > > > > > > > > > > with > > > > > > > > > > > > curl is there to stay (for the time being at least). > > > > > > > > > > > > > > > > > > > > > > > > To Chris: It's somewhat weird that the user needs a > web > > > > > manager > > > > > > > > just > > > > > > > > > > for > > > > > > > > > > > > curl-ing certification renewal. > > > > > > > > > > > > > > > > > > > > > > > > To everyone: > > > > > > > > > > > > I have a suggestion on improving Documentation > > regarding > > > > SSL. > > > > > > > > > > > > > > https://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html > > > > > > > > > > > > Currently, it states > > > > > > > > > > > > Configuration > > > > > > > > > > > > Prepare the Certificate Keystore > > > > > > > > > > > > Tomcat currently operates only on JKS, PKCS11 or > PKCS12 > > > > > format > > > > > > > > > > keystores. > > > > > > > > > > > > > > > > > > > > > > > > ... > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I think it should start with > > > > > > > > > > > > Configuration > > > > > > > > > > > > Option 1) Use Tomcat Native > > > > > > > > > > > > which would showcase a path to something like: > > > > > > > > > > > > > > > > > > > > > > > > <!-- Define an SSL Coyote HTTP/1.1 Connector on port > > 8443 > > > > --> > > > > > > > > > > > > <Connector > > > > > > > > > > > > > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > > > > > > > > > > > port="8443" > > > > > > > > > > > > maxThreads="150" > > > > > > > > > > > > SSLEnabled="true" > > > > > > > > > > > > > <SSLHostConfig> > > > > > > > > > > > > <Certificate > > > > > > > > > > > > > certificateKeyFile="conf/localhost-rsa-key.pem" > > > > > > > > > > > > certificateFile="conf/localhost-rsa-cert.pem" > > > > > > > > > > > > > > > certificateChainFile="conf/localhost-rsa-chain.pem" > > > > > > > > > > > > type="RSA" > > > > > > > > > > > > /> > > > > > > > > > > > > </SSLHostConfig> > > > > > > > > > > > > </Connector> > > > > > > > > > > > > > > > > > > > > > > > > Option 2) Without Tomcat Native > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ... > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I don't know what is the formal process for improving > > the > > > > > > > > > documentation > > > > > > > > > > > > here? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > Le sam. 19 déc. 2020 à 15:24, Mladen > Adamović > > < > > > > > > > > > > > >> > > mladen.adamo...@gmail.com > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > a > > > > > > > > > > > >> > > > > écrit : > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > On Sat, Dec 19, 2020 at 2:29 PM > Christopher > > > > > Schultz > > > > > > < > > > > > > > > > > > >> > > > > > ch...@christopherschultz.net> wrote: > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > Why not use cron? You can do this with a > > > > single > > > > > > > "curl" > > > > > > > > > > > command > > > > > > > > > > > >> > and > > > > > > > > > > > >> > > > the > > > > > > > > > > > >> > > > > > > Manager+JMXProxyServlet. > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > We are not using Tomcat manager app. > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > Why someone should be forced to use > Manager, > > > to > > > > > > > > read/setup > > > > > > > > > > the > > > > > > > > > > > >> > > > > > documentation regarding JMXProxyServlet, > > > create > > > > an > > > > > > > > > > additional > > > > > > > > > > > >> > > > > > servlet (where does it have dependency > on?) > > > only > > > > > to > > > > > > > > reload > > > > > > > > > > > >> > > > automatically > > > > > > > > > > > >> > > > > > certificates? > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > I'm proposing a solution with the simple > > > > > > SSLHostConfig > > > > > > > > > > > >> parameter. > > > > > > > > > > > >> > > It's > > > > > > > > > > > >> > > > a > > > > > > > > > > > >> > > > > > user friendly. Simple, intuitive. > > > > > > > > > > > >> > > > > > No need for using manager, no need to > > create a > > > > > > > specific > > > > > > > > > > > servlet > > > > > > > > > > > >> > > > somewhere > > > > > > > > > > > >> > > > > > in your code. Just a single server.xml > > > argument. > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > Also, *another idea*, I'm contributing > this > > > code > > > > > > (see > > > > > > > > > below) > > > > > > > > > > > we > > > > > > > > > > > >> are > > > > > > > > > > > >> > > > using > > > > > > > > > > > >> > > > > > for Letsencrypt ACME challenge. > > > > > > > > > > > >> > > > > > Tomcat could also have an option, i.e. in > > > > web.xml > > > > > to > > > > > > > > > > > >> automatically > > > > > > > > > > > >> > > > > support > > > > > > > > > > > >> > > > > > Letsencrypt ACME challenge. > > > > > > > > > > > >> > > > > > Idea for web.xml > > > > > > > > > > > >> > > > > > <servlet> > > > > > > > > > > > >> > > > > > > > > > > > <servlet-name>Letsencrypt-acme</servlet-name> > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > <servlet-class>org.apache.catalina.servlets.LetsencryptAcmeChallenge</servlet-class> > > > > > > > > > > > >> > > > > > <init-param> > > > > > > > > > > > >> > > > > > etc. > > > > > > > > > > > >> > > > > > </servlet> > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > We are using > > > > > > > > > > > >> > > > > > @WebServlet(name = > > "LetsencryptAcmeChallenge", > > > > > > > > > urlPatterns = > > > > > > > > > > > >> > > > > > {"/.well-known/acme-challenge/*"}) > > > > > > > > > > > >> > > > > > public class LetsencryptAcmeChallenge > > extends > > > > > > > > HttpServlet > > > > > > > > > { > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > /** > > > > > > > > > > > >> > > > > > * Processes requests for both HTTP > > > > > > <code>GET</code> > > > > > > > > and > > > > > > > > > > > >> > > > > > <code>POST</code> methods. > > > > > > > > > > > >> > > > > > * > > > > > > > > > > > >> > > > > > * @param request servlet request > > > > > > > > > > > >> > > > > > * @param response servlet response > > > > > > > > > > > >> > > > > > * @throws ServletException if a > > > > > servlet-specific > > > > > > > > error > > > > > > > > > > > occurs > > > > > > > > > > > >> > > > > > * @throws IOException if an I/O error > > > occurs > > > > > > > > > > > >> > > > > > */ > > > > > > > > > > > >> > > > > > protected void > > > > processRequest(HttpServletRequest > > > > > > > > > request, > > > > > > > > > > > >> > > > > > HttpServletResponse response) > > > > > > > > > > > >> > > > > > throws ServletException, > IOException { > > > > > > > > > > > >> > > > > > String requestUrl = > > > > > > > > > request.getRequestURL().toString(); > > > > > > > > > > > >> > > > > > if > > > > > > > > > (requestUrl.contains(".well-known/acme-challenge/")) > > > > > > > > > > { > > > > > > > > > > > >> > > > > > int indexFilename = > > > > > > requestUrl.lastIndexOf("/") > > > > > > > + > > > > > > > > 1; > > > > > > > > > > > >> > > > > > boolean wasError = true; > > > > > > > > > > > >> > > > > > if (indexFilename > 0 && > > indexFilename < > > > > > > > > > > > >> > requestUrl.length()) { > > > > > > > > > > > >> > > > > > String filename = > > > > > > > > > > requestUrl.substring(indexFilename); > > > > > > > > > > > >> > > > > > File existingFile = new > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > File("/tmp/letsencrypt/public_html/.well-known/acme-challenge/" > > > > > > > > > > > >> + > > > > > > > > > > > >> > > > > > filename); > > > > > > > > > > > >> > > > > > if (existingFile.exists()) { > > > > > > > > > > > >> > > > > > > > > response.setContentType("text/plain"); > > > > > > > > > > > >> > > > > > OutputStream out = > > > > > > > response.getOutputStream(); > > > > > > > > > > > >> > > > > > FileInputStream in = new > > > > > > > > > > > >> FileInputStream(existingFile); > > > > > > > > > > > >> > > > > > > > > > > > > FilesOperations.inputStreamToOutputStream(in, > > > > > > > > > > out); > > > > > > > > > > > >> > > > > > wasError = false; > > > > > > > > > > > >> > > > > > } > > > > > > > > > > > >> > > > > > } > > > > > > > > > > > >> > > > > > if (wasError) { > > > > > > > > > > > >> > > > > > throw new > ServletException("invalid > > > > > > requestUrl > > > > > > > > " + > > > > > > > > > > > >> > > requestUrl); > > > > > > > > > > > >> > > > > > } > > > > > > > > > > > >> > > > > > } > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > from FilesOperations: > > > > > > > > > > > >> > > > > > public static void > > > > > > > > > > inputStreamToOutputStream(InputStream > > > > > > > > > > > >> in, > > > > > > > > > > > >> > > > > > OutputStream out) throws IOException { > > > > > > > > > > > >> > > > > > try { > > > > > > > > > > > >> > > > > > byte[ ] buf = new byte[32 * > > > 1024]; > > > > > // > > > > > > > 32K > > > > > > > > > > buffer > > > > > > > > > > > >> > > > > > int bytesRead; > > > > > > > > > > > >> > > > > > while ((bytesRead = > > in.read(buf)) > > > != > > > > > > -1) { > > > > > > > > > > > >> > > > > > out.write(buf, 0, > > bytesRead); > > > > > > > > > > > >> > > > > > } > > > > > > > > > > > >> > > > > > } finally { > > > > > > > > > > > >> > > > > > if (in != null) { > > > > > > > > > > > >> > > > > > in.close(); > > > > > > > > > > > >> > > > > > out.close(); > > > > > > > > > > > >> > > > > > } > > > > > > > > > > > >> > > > > > } > > > > > > > > > > > >> > > > > > } > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > *Long*: > > > > > > > > > > > >> > > > > > > > SSL certificates have a period of > > > expiration > > > > > and > > > > > > > in > > > > > > > > > the > > > > > > > > > > > >> case of > > > > > > > > > > > >> > > > > > > > Letsencrypt, it's set to 3 months as > > they > > > > > think > > > > > > > > > everyone > > > > > > > > > > > >> should > > > > > > > > > > > >> > > > have > > > > > > > > > > > >> > > > > > the > > > > > > > > > > > >> > > > > > > > renewal mechanism automatically. > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > >> > > > > > > > As the Letsencrypt is the most popular > > SSL > > > > > > issuing > > > > > > > > > > > authority > > > > > > > > > > > >> > > > (source: > > > > > > > > > > > >> > > > > > > > > > > > https://trends.builtwith.com/ssl/LetsEncrypt > > > > > > ), I > > > > > > > > > think > > > > > > > > > > > >> Tomcat > > > > > > > > > > > >> > > > > should > > > > > > > > > > > >> > > > > > > have > > > > > > > > > > > >> > > > > > > > an integration with Letsencrypt > working > > > > > > > flawlessly. > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > >> > > > > > > > We are currently using the script to > > renew > > > > the > > > > > > > > > > certificate > > > > > > > > > > > >> (I > > > > > > > > > > > >> > can > > > > > > > > > > > >> > > > > share > > > > > > > > > > > >> > > > > > > our > > > > > > > > > > > >> > > > > > > > integration details with whoever is > > > > > interested, > > > > > > > > please > > > > > > > > > > > >> email me > > > > > > > > > > > >> > > if > > > > > > > > > > > >> > > > > you > > > > > > > > > > > >> > > > > > > are > > > > > > > > > > > >> > > > > > > > interested), but it's restarting > Tomcat. > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > >> > > > > > > > As Tomcat shall not be restarted ever > > > > > > (ideally), I > > > > > > > > > think > > > > > > > > > > > >> Tomcat > > > > > > > > > > > >> > > > > should > > > > > > > > > > > >> > > > > > > have > > > > > > > > > > > >> > > > > > > > an option to reload certificate, > > without a > > > > > > > > dependency > > > > > > > > > to > > > > > > > > > > > >> Tomcat > > > > > > > > > > > >> > > > > source > > > > > > > > > > > >> > > > > > > code > > > > > > > > > > > >> > > > > > > > and "hacks" like some available on > > > > > > StackOverflow: > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://stackoverflow.com/questions/5816239/how-do-i-force-tomcat-to-reload-trusted-certificates > > > > > > > > > > > >> > > > > > > ). > > > > > > > > > > > >> > > > > > > > Those hacks are no good as: > > > > > > > > > > > >> > > > > > > > 1) code to reload certificate should > not > > > run > > > > > > > inside > > > > > > > > > Java > > > > > > > > > > > >> code, > > > > > > > > > > > >> > as > > > > > > > > > > > >> > > > > > > > letsencrypt is invoked through Linux > > > > > > > > > > > >> > > > > > > > 2) each application uses that > > > Stackoverflow > > > > > hack > > > > > > > > have > > > > > > > > > > > >> > additional > > > > > > > > > > > >> > > > > > compile > > > > > > > > > > > >> > > > > > > > and run dependency set to Tomcat > (which > > is > > > > > very > > > > > > > > bad). > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > >> > > > > > > > I have a proposal on how this should > be > > > > fixed: > > > > > > > > Tomcat > > > > > > > > > > > should > > > > > > > > > > > >> > > have a > > > > > > > > > > > >> > > > > > > > server.xml options something like > > > > > > > > > > > >> certificateReloadAfterDays or > > > > > > > > > > > >> > > > > > > > reloadAfterDays > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > >> > > > > > > > I see this is moved to SSLHostConfig, > we > > > are > > > > > > still > > > > > > > > > using > > > > > > > > > > > old > > > > > > > > > > > >> > > > params. > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > >> > > > > > > > Do you agree on this feature? > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > >> > > > > > > > If so... I'm not lazy to try to do it > > > > myself, > > > > > > but > > > > > > > > as I > > > > > > > > > > > >> haven't > > > > > > > > > > > >> > > ever > > > > > > > > > > > >> > > > > > > written > > > > > > > > > > > >> > > > > > > > Tomcat code neither know procedures (I > > > have > > > > > been > > > > > > > > > coding > > > > > > > > > > > >> > > > > professionally > > > > > > > > > > > >> > > > > > > > since 2006, but I never committed to > > Maven > > > > or > > > > > > Git > > > > > > > > > > project > > > > > > > > > > > >> > before, > > > > > > > > > > > >> > > > > lol), > > > > > > > > > > > >> > > > > > > is > > > > > > > > > > > >> > > > > > > > there someone else who is keen on > doing > > > this > > > > > > > > feature? > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > >> > > > > > > Have a look at this: > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > >> > > > > > > http://tomcat.apache.org/presentations.html#latest-lets-encrypt > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > >> > > > > > > -chris > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > > > > > > >> > > > > > > To unsubscribe, e-mail: > > > > > > > > > dev-unsubscr...@tomcat.apache.org > > > > > > > > > > > >> > > > > > > For additional commands, e-mail: > > > > > > > > > > dev-h...@tomcat.apache.org > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > < > > > > > > https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon > > > > > > > Virus-free. > > > www.avast.com > > > < > > > > > > https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link > > > > > > > <#m_-1856320879832207330_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> > > > > > >
