date:20201228

Re: Recognizing Certificate Updates

2020-12-28 Thread Christopher Schultz


Jerry,

On 12/28/20 13:56, Jerry Malcolm wrote:
Thanks for the info.  I'll try to figure out a way to integrate this. 
The problem is that I don't really know when the certs get regen'd.  I 
have a daily cron job that calls certbot to renew. But it only renews 
when it decides it's time to renew.  TC is so good about monitoring 
other folders for changes such as war files, jar files, etc and 
automatically refreshing when it detects a file update.  I was just 
hoping that there was something buried inside TC that I had missed that 
tells TC to monitor the certs and refresh if the certs are updated.


Check out this presentation which includes scripts for this kind of 
thing. It shows how to detect that the LE key+cert have been actually 
updated. It also shows how to re-package those PEM files as a PKCS12 
keystore (or JKS if you like that kind of thing) and how to trigger a 
reload of the TLS configuration (including the keys + certificates).


https://tomcat.apache.org/presentations.html#latest-lets-encrypt

-chris


On 12/28/2020 4:12 AM, logo wrote:

Jerry,

the quotes were messed up.

See the correct command below inline.


Am 28.12.2020 um 11:10 schrieb logo :

Jerry,

Try this after regenerating the LE certs

curl -u  
"https://localhost:8443/manager/jmxproxy?invoke=Catalina:type=ProtocolHandler,port=8443=reloadSslHostConfigs 
" 



for all domains or

curl -u  
"https://localhost:8443/manager/jmxproxy?invoke=Catalina:type=ProtocolHandler,port=8443=reloadSslHostConfig=to reload>"


for just the needed domain.

Adjust the port to your SSL-Connector.

Add a  to tomcat-users.xml
    

Beware not to open the Manager App to the public - just localhost.

HTH

Peter



Am 26.12.2020 um 18:42 schrieb Jerry Malcolm :

We have a production environment where we rarely reboot Tomcat. 
LetsEncrypt auto-updates the certificates every couple of months. 
But the new certificates are not loaded into Tomcat.  So when the 
original expiration date of the certs arrives, users get 
"certificate expired" even though new certs exist.  A simple reboot 
to load the new certs fixes it.  But we want to avoid reboots.  Are 
there any config parameters that tell TC to check for cert updates 
and reload the new certs?  Thx



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Recognizing Certificate Updates

2020-12-28 Thread Christopher Schultz

Mladen,

On 12/26/20 13:25, Mladen Adamović wrote:

If you set up tomcat manager up, you can reload certificate with something
like
Stop Connector – curl http://localhost:8080/manager/jmxproxy?invoke=Catalina
%3Atype%3DConnector%2Cport%3D8443=stop
Start Connector – curl http://localhost:8080/manager/jmxproxy?invoke=Catalina
%3Atype%3DConnector%2Cport%3D8443=start
(source:
http://people.apache.org/~schultz/ApacheCon%20NA%202017/Let's%20Encrypt%20Apache%20Tomcat.pdf
)

This is probably faster than reboot the whole tomcat, I haven't tried it.

It's very much faster than "rebooting" whether you mean rebooting the
whole server or just restarting the Tomcat service. Not only that, but
no in-flight requests or even those queued in the TCP/IP stack's backlog
will be dropped. It really is a zero-downtime solution.

This looks imperfect as hell.

What is imperfect about it? Sure, it's not 100% automatic, but at least
it's possible. Even Apache httpd can't do what we are doing.

Honestly, I thought that reloadAfterNDays param to server.xml would be
better, but admins didn't have an understanding on this topic.

Don't be a jerk. We understand it. We are just saying that we want it
built in stages. If you want radical changes, you'll need to work on a
server without a decades-long history of being stable and reliable.

Thanks,
-chris

On Sat, Dec 26, 2020 at 6:49 PM Jerry Malcolm
wrote:

We have a production environment where we rarely reboot Tomcat.
LetsEncrypt auto-updates the certificates every couple of months. But
the new certificates are not loaded into Tomcat. So when the original
expiration date of the certs arrives, users get "certificate expired"
even though new certs exist. A simple reboot to load the new certs
fixes it. But we want to avoid reboots. Are there any config
parameters that tell TC to check for cert updates and reload the new
certs? Thx

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Recognizing Certificate Updates

2020-12-28 Thread Jerry Malcolm

Thanks for the info. I'll try to figure out a way to integrate this.
The problem is that I don't really know when the certs get regen'd. I
have a daily cron job that calls certbot to renew. But it only renews
when it decides it's time to renew. TC is so good about monitoring
other folders for changes such as war files, jar files, etc and
automatically refreshing when it detects a file update. I was just
hoping that there was something buried inside TC that I had missed that
tells TC to monitor the certs and refresh if the certs are updated.

On 12/28/2020 4:12 AM, logo wrote:

Jerry,

the quotes were messed up.

See the correct command below inline.

Am 28.12.2020 um 11:10 schrieb logo :

Jerry,

Try this after regenerating the LE certs

curl -u
"https://localhost:8443/manager/jmxproxy?invoke=Catalina:type=ProtocolHandler,port=8443=reloadSslHostConfigs

for all domains or

curl -u
"https://localhost:8443/manager/jmxproxy?invoke=Catalina:type=ProtocolHandler,port=8443=reloadSslHostConfig="

for just the needed domain.

Adjust the port to your SSL-Connector.

Add a to tomcat-users.xml

Beware not to open the Manager App to the public - just localhost.

HTH

Peter

Am 26.12.2020 um 18:42 schrieb Jerry Malcolm :

We have a production environment where we rarely reboot Tomcat. LetsEncrypt auto-updates
the certificates every couple of months. But the new certificates are not loaded into
Tomcat. So when the original expiration date of the certs arrives, users get
"certificate expired" even though new certs exist. A simple reboot to load the
new certs fixes it. But we want to avoid reboots. Are there any config parameters that
tell TC to check for cert updates and reload the new certs? Thx

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Recognizing Certificate Updates

2020-12-28 Thread logo

Jerry,

the quotes were messed up.

See the correct command below inline.

> Am 28.12.2020 um 11:10 schrieb logo :
> 
> Jerry,
> 
> Try this after regenerating the LE certs
> 
> curl -u  
> "https://localhost:8443/manager/jmxproxy?invoke=Catalina:type=ProtocolHandler,port=8443=reloadSslHostConfigs
>  
> "
> 
> for all domains or
> 
> curl -u  
> "https://localhost:8443/manager/jmxproxy?invoke=Catalina:type=ProtocolHandler,port=8443=reloadSslHostConfig=  to reload>"
> 
> for just the needed domain.
> 
> Adjust the port to your SSL-Connector.
> 
> Add a  to tomcat-users.xml
>
> 
> Beware not to open the Manager App to the public - just localhost. 
> 
> HTH
> 
> Peter
> 
> 
>> Am 26.12.2020 um 18:42 schrieb Jerry Malcolm :
>> 
>> We have a production environment where we rarely reboot Tomcat. LetsEncrypt 
>> auto-updates the certificates every couple of months. But the new 
>> certificates are not loaded into Tomcat.  So when the original expiration 
>> date of the certs arrives, users get "certificate expired" even though new 
>> certs exist.  A simple reboot to load the new certs fixes it.  But we want 
>> to avoid reboots.  Are there any config parameters that tell TC to check for 
>> cert updates and reload the new certs?  Thx
>> 
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

Re: Recognizing Certificate Updates

2020-12-28 Thread logo

Jerry,

Try this after regenerating the LE certs

curl -u  
"https://localhost:8443/manager/jmxproxy?invoke=Catalina:type=ProtocolHandler,port=8443=reloadSslHostConfigs“

for all domains or

curl -u  
"https://localhost:8443/manager/jmxproxy?invoke=Catalina:type=ProtocolHandler,port=8443=reloadSslHostConfig=“

for just the needed domain.

Adjust the port to your SSL-Connector.

Add a  to tomcat-users.xml


Beware not to open the Manager App to the public - just localhost. 

HTH

Peter


> Am 26.12.2020 um 18:42 schrieb Jerry Malcolm :
> 
> We have a production environment where we rarely reboot Tomcat. LetsEncrypt 
> auto-updates the certificates every couple of months. But the new 
> certificates are not loaded into Tomcat.  So when the original expiration 
> date of the certs arrives, users get "certificate expired" even though new 
> certs exist.  A simple reboot to load the new certs fixes it.  But we want to 
> avoid reboots.  Are there any config parameters that tell TC to check for 
> cert updates and reload the new certs?  Thx
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Recognizing Certificate Updates

Re: Recognizing Certificate Updates

Re: Recognizing Certificate Updates

Re: Recognizing Certificate Updates

Re: Recognizing Certificate Updates

5 matches

Site Navigation

Mail list logo

Footer information