updating CRL in use in tomcat
It appears that it is possible to have tomcat refresh it's CRL specified in the Connector from reading: https://bz.apache.org/bugzilla/show_bug.cgi?id=60762 The bug/feature request seems to have been fixed/implemented, but I haven't found any documentation about how to tell Tomcat when to update the relevant CRL. Do you have to override the connector class or use JMX? Or are there configuration options in the Connector itself?
recommendations for using multiple CRLs
Does this group have any recommendations for merging multiple external CRLs into one CRL for use with Tomcat, or just making Tomcat aware of multiple CRLs?
Re: Tomcat manager keystore reload
> Joseph, > > On 7/25/19 11:53, Joseph Dornisch wrote: > > Hello, > > > > I have a CRL configured in my tomcat server configuration. If I > > update it and want to have Tomcat refresh it, I can login into > > https://127.0.0.1/manager/html and click the "Re-read" button > > under "Configuration->Re-read TLS configuration files" and this > > causes my CRL to be reread. It works great. > > > > However,I have read here, " > > https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Encry > pt%20Apache%20Tomcat.pdf" > > > > > on page 34 you can do basically the same thing with a command something > > like: > > https://localhost/manager/jmxproxy?invoke=Catalina%3Atype%3DProtocolHa > ndler%2Cport%3D8443%2Caddress%3D%22127.0.0.1%22=reloadSslHostConfigs > > > > When I do this, I get back: > > > > Error - java.lang.NullPointerException > > java.lang.NullPointerException at > > org.apache.catalina.manager.JMXProxyServlet.invokeOperationInternal(JM > XProxyServlet.java:264) > > What > > > is the port number and bind-address of your protocol handler? Is this different than the web server. I directed it to use 443, as I am running tomcat https out of 443. I also just specified the local machine name. I think I tried a few things here. Is there a good way to look up what these should be if they are different than how you access tomcat in genera.? > > > Is this command supposed to work in Tomcat 8.5.43? Is there a > > different command. Short of this, the only way to force reload > > without manual intervention seems to be to login to the manager > > from code, and then execute > > https://127.0.0.1/manager/html/sslReload?org.apache.catalina.filters.C > SRF_NONCE= > > > > > > > The URL you have above (if correct) is using the manager to do the > same thing using the JMX proxy that you are doing with the manager GUI. It's only incorrect in that I changed the 'NONCE' to text for the purpose of hopefully making it more readable here. It does work to reload the configuration (and specifically reread my CRL files). > > > I've seen that I might also write some code that Tomcat itself > > would run periodically to refresh the SSL configuration. Could > > anyone provide any ideas here? > > You can do it, but IMO it's better to trigger it externally, assuming > that you are already deploying the manager app and the JMX proxy servlet Apparently we might have security issues if we run the manager application in production so right now I am planning on extending the Http11NioProtocol class to periodically refresh as is done in: https://serverfault.com/questions/328533/can-tomcat-reload-its-ssl-certificate-without-being-restarted Thank you for responding Chris, if you have any additional advice, I'd be very happy to read it. (or if anyone else wants to add advice, I'd be happy to read that as well). > . > > - -chris
Tomcat manager keystore reload
Hello, I have a CRL configured in my tomcat server configuration. If I update it and want to have Tomcat refresh it, I can login into https://127.0.0.1/manager/html and click the "Re-read" button under "Configuration->Re-read TLS configuration files" and this causes my CRL to be reread. It works great. However,I have read here, " https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Encrypt%20Apache%20Tomcat.pdf" on page 34 you can do basically the same thing with a command something like: https://localhost/manager/jmxproxy?invoke=Catalina%3Atype%3DProtocolHandler%2Cport%3D8443%2Caddress%3D%22127.0.0.1%22=reloadSslHostConfigs When I do this, I get back: Error - java.lang.NullPointerException java.lang.NullPointerException at org.apache.catalina.manager.JMXProxyServlet.invokeOperationInternal(JMXProxyServlet.java:264) at org.apache.catalina.manager.JMXProxyServlet.invokeOperation(JMXProxyServlet.java:207) at org.apache.catalina.manager.JMXProxyServlet.doGet(JMXProxyServlet.java:116) at javax.servlet.http.HttpServlet.service(HttpServlet.java:634) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.arl.servlet.core.filters.AbstractRedirectFilter.doFilter(AbstractRedirectFilter.java:250) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.arl.servlet.core.filters.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:356) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.arl.servlet.core.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:128) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:109) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610) at org.apache.catalina.valves.RequestFilterValve.process(RequestFilterValve.java:348) at org.apache.catalina.valves.RemoteAddrValve.invoke(RemoteAddrValve.java:52) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:660) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:798) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) Is this command supposed to work in Tomcat 8.5.43? Is there a different command. Short of this, the only way to force reload without manual intervention seems to be to login to the manager from code, and then execute https://127.0.0.1/manager/html/sslReload?org.apache.catalina.filters.CSRF_NONCE=
