https://bz.apache.org/bugzilla/show_bug.cgi?id=65770
--- Comment #9 from Christopher Schultz <ch...@christopherschultz.net> --- (In reply to Mark Thomas from comment #8) > I've been discussing this with the users recently and came up with the > following approach. > > - Lifecycle listener that ships with Tomcat > - Every X minutes (driven by background process but customisable so checks > don't happen every time the background process runs) > - Checks expiry time of each cert. > - For each cert with less than Y days reload TLS config Why have this "must be less than Y days-to-expiration" predicate? Why not just always-reload if e.g. the source timestamp has changed? There are many reasons to swap-out certificates that are not expiring. We probably should make sure the file is at least X ms old to prevent trying to reload a file that it in the process of being re-written. > - If cert still has less than Y days remaining, log a warning I think this will fill the logs. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org