Re: Tomcat manager keystore reload

[logo]

Chris,

Now this is taking a weird direction…


> Am 30.07.2019 um 16:57 schrieb Christopher Schultz 
> mailto:ch...@christopherschultz.net>>:
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Peter,
> 
> On 7/30/19 05:19, logo wrote:
>> Hi Chris,
>> 
>> I am also trying to figure this out and get to the same error.
>> 
>>> Am 25.07.2019 um 17:53 schrieb Joseph Dornisch
>>> mailto:kingcanut...@gmail.com>>:
>>> 
>>> Hello,
>>> 
>>> I have a CRL configured in my tomcat server configuration. If I
>>> update it and want to have Tomcat refresh it, I can login into 
>>> https://127.0.0.1/manager/html  and click 
>>> the "Re-read" button
>>> under "Configuration->Re-read TLS configuration files" and this
>>> causes my CRL to be reread. It works great.
>>> 
>>> However,I have read here, " 
>>> https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Encr 
>>> 





>> If I query with the jmxproxy-Servlet I get to 
>> Catalina:type=ProtocolHandler,port=8443, but I cannot figure out
>> the necessary address. How can I find it? Once I add an address
>> (127.0.0.1, localhost or DNSs...) , I get exactly "OK - Number of
>> results: 0". That may be the cause of the above
>> java.lang.NullPointerException.
>> 
>> If I omit the address it I get a detailed stacktrace, with all
>> sorts of IO exceptions/Illegal argument exceptions that relate to
>> the actual code of AbstractJsseEndpoint/AbstractEndpoint and
>> reloadSslHostConfigs.
>> 
>> Could you please help us here? If I only want to reload one
>> specific HostConfig, how do I set the hostname parameter?
>> 
>> I looked at your letsencrypt script 
>> https://people.apache.org/~schultz/ApacheCon%20NA%202018/lets-encrypt- 
>> 
> renew.sh,
>> 
>> 
> but that requires the address already as a parameter...
> 
> The best thing to do is connect with a JMX client such as VisualVM or
> perhaps one that your IDE provides. If you connect, you can see what
> JMX paths are actually available instead of just guessing at them.
> 
> Use the screenshots in the Let's Encrypt presentation (and possibly
> the related screenshots in the "Monitoring Apache Tomcat with JMX"
> presentation as well) to help you find the correct protocol handler path
> .
> 

I used jconsole to get to the ProtocolHandler. There is an error opening the 
panel
"Error setting Operation panel :org.apache.tomcat.util.net.SSLHostConfig“

And if I reload the SSLHostConfigs with the panel button I get the 
IllegalStateException - again.

Now before you ask, there is my config:


  
  

  
  

  
  

  
  

  
  

  


Any idea why?

Thanks

Peter

> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ 
> 
> 
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1AWt4ACgkQHPApP6U8
> pFhqvxAAoRDPDxU1poECO+s/q/kcWXaoLKE0WrE4rmlasViRuuMdn7QtLJJZ7s0Q
> MaKk0LeJ+p/fT9fAuQ0Ysm75MhLy88Xj6SvR60mroPQZM1ONkgQ9EzLyYWiMPgt0
> alPu0z5Nqk5CW4fl4El4tLFysdniRr7WfYUdt/inwhuJSGWylVMyzqAEIVpmMsHk
> hpAoB+TWSPL8DLJMauLP64AF+gIO/RTfyM4dtC8yZJqXiSpntF8Eq5JtR2Q4y5UZ
> ijzA/rMmpQB0I1yTpExicaveMfIWYZg/2rfGh1hh3dP4dyQ4dYR2ZalmRoEW6rhZ
> zf+1nhmrByIuEoboozxgkDcLOfpXMCnG0yHtz8rAewcUci4UHabddcpLVlV+0Ilg
> yOADCYwnU8gmnD6vb1fI0B0O8OMr/VyCbhsWklOUyFBmZD64XYC4rkmGQAVhRR97
> qWrV1/Rs09Oq1zY0zpzJnRD5xmumsi/uuJ6T7kEhaK1KdT6wkDImParq2n5dnhm/
> 3smAZDpS3Nh246oyldpVuxOJpQxEWfHX+GZyAZfAJ0t/OgNV/Xq61Cz0Mr4z5iML
> fGKKpPxDB0DEWAm8RT11tyzAqk/Mwlx/KE+pxqIM+OCDY1rpkpMEYAIgFA8S1Hd5
> Y7cFNQC207nA6TuUOgnZeHzLVw2iqQIbSPqKTuwiT4j3fCbbCXQ=
> =K62u
> -END PGP SIGNATURE-
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org 
> 
> For additional commands, e-mail: users-h...@tomcat.apache.org 
> 

smime.p7s
Description: S/MIME cryptographic signature

Re: Tomcat manager keystore reload

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Joseph,

On 7/29/19 13:55, Joseph Dornisch wrote:
>> Joseph,
>> 
>> On 7/25/19 11:53, Joseph Dornisch wrote:
>>> Hello,
>>> 
>>> I have a CRL configured in my tomcat server configuration. If
>>> I update it and want to have Tomcat refresh it, I can login
>>> into https://127.0.0.1/manager/html and click the "Re-read"
>>> button under "Configuration->Re-read TLS configuration files"
>>> and this causes my CRL to be reread. It works great.
>>> 
>>> However,I have read here, " 
>>> https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Enc
ry
>>
>>> 
pt%20Apache%20Tomcat.pdf"
>>> 
>>> 
>> on page 34 you can do basically the same thing with a command
>> something
>>> like: 
>>> https://localhost/manager/jmxproxy?invoke=Catalina%3Atype%3DProtocol
Ha
>>
>>> 
ndler%2Cport%3D8443%2Caddress%3D%22127.0.0.1%22=reloadSslHostConfigs
>>> 
>>> When I do this, I get back:
>>> 
>>> Error - java.lang.NullPointerException 
>>> java.lang.NullPointerException at 
>>> org.apache.catalina.manager.JMXProxyServlet.invokeOperationInternal(
JM
>>
>>> 
XProxyServlet.java:264)
>> 
>> What
>>> 
>> is the port number and bind-address of your protocol handler?
> 
> Is this different than the web server. I directed it to use 443, as
> I am running tomcat https out of 443. I also just specified the
> local machine name. I think I tried a few things here. Is there a
> good way to look up what these should be if they are different than
> how you access tomcat in genera.?
> 
>> 
>>> Is this command supposed to work in Tomcat 8.5.43? Is there a 
>>> different command. Short of this, the only way to force reload 
>>> without manual intervention seems to be to login to the
>>> manager from code, and then execute 
>>> https://127.0.0.1/manager/html/sslReload?org.apache.catalina.filters
.C
>>
>>> 
SRF_NONCE=
>>> 
>>> 
>> 
>> 
>> The URL you have above (if correct) is using the manager to do
>> the same thing using the JMX proxy that you are doing with the
>> manager GUI.
> 
> It's only incorrect in that I changed the 'NONCE' to text for the
> purpose of hopefully making it more readable here. It does work to
> reload the configuration (and specifically reread my CRL files).
> 
>> 
>>> I've seen that I might also write some code that Tomcat itself 
>>> would run periodically to refresh the SSL configuration. Could 
>>> anyone provide any ideas here?
>> 
>> You can do it, but IMO it's better to trigger it externally,
>> assuming that you are already deploying the manager app and the
>> JMX proxy servlet
> 
> Apparently we might have security issues if we run the manager
> application in production so right now I am planning on extending
> the Http11NioProtocol class to periodically refresh as is done in: 
> https://serverfault.com/questions/328533/can-tomcat-reload-its-ssl-cer
tificate-without-being-restarted

I
> 
would reconsider using manager+JMX. You can lock it down a bit so
that it will e.g. only accept connections from localhost and you can
put a password on it. Your scripts will have to contain that password
but you can make sure those scripts are only readable by e.g. the
Tomcat user and you should be okay.

> Thank you for responding Chris, if you have any additional advice,
> I'd be very happy to read it. (or if anyone else wants to add
> advice, I'd be happy to read that as well).


Please see my reply under the original thread. I think it will help.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1AXyQACgkQHPApP6U8
pFgZUQ//Xc4znBTXwGE0SkHbHPm2D86Q+0vudwwx1osM8x2F2KA2kiIhKYTCJZQh
ApBixExuLpjWWQ02oCrrl0NzdmUbxC8e2WvQRnF6XWB9/f1gLbMIgOVQDjYa4FWB
IiHljPO5AABiYeIUjDWE6a7Stffh3BYAJ04D1f3xMLh9uciuXPvKbnny7zWNbC/j
xzTNRndNtTmYippzIhRjPFjjaBfz3KLVST9WnU1bgXDFbgbMRCL5tSs27dvT8nOX
SNI8RoZGFMc+V1A1RnviuKZJ2DxnELcusKW0P4Zqc8Rrrpc6cspm6x+fC2AtOK6I
WaIeRj4w5f04VkaUH87CDfXYCyGEcGc6wkxZMK6y5QrZleBpvL8j9aujmqVX1yJE
4Q9y5RN4vKoq+S9RUEHSlXrjIkWoNoCRIOD7zofdUrswdJ+Ovf0Av6OjUaTN4XNX
GflZ7HqPmQ4rQV3fVE8yDm/wyvyLWxEn7COg38976/ZrPUs6gf2WuegP/SMgDp+n
IoyuJJ85jvlcr9AyE0GhjNCkb3TC/GKNKM1rGxB/sBagWTtCH3HDfJX5DMWlfFXp
LCbRjJ1wEX3XJqspKAhUcJiuFNZIN0zWGQkULOwJm+d9JmmPGriOP3r1kJ6h3V5F
FjUwp1ndKgh6p0CWbdrsHnatwzqAlfiNxyLzCyPmpe91urriy3I=
=RI2q
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat manager keystore reload

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Peter,

On 7/30/19 05:19, logo wrote:
> Hi Chris,
> 
> I am also trying to figure this out and get to the same error.
> 
>> Am 25.07.2019 um 17:53 schrieb Joseph Dornisch
>> :
>> 
>> Hello,
>> 
>> I have a CRL configured in my tomcat server configuration. If I
>> update it and want to have Tomcat refresh it, I can login into 
>> https://127.0.0.1/manager/html and click the "Re-read" button
>> under "Configuration->Re-read TLS configuration files" and this
>> causes my CRL to be reread. It works great.
>> 
>> However,I have read here, " 
>> https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Encr
ypt%20Apache%20Tomcat.pdf"
>>
>> 
on page 34 you can do basically the same thing with a command something
>> like: 
>> https://localhost/manager/jmxproxy?invoke=Catalina%3Atype%3DProtocolH
andler%2Cport%3D8443%2Caddress%3D%22127.0.0.1%22=reloadSslHostConfigs
>>
>>
>> 
When I do this, I get back:
>> 
>> Error - java.lang.NullPointerException 
>> java.lang.NullPointerException at
>> org.apache.catalina.manager.JMXProxyServlet.invokeOperationInternal(J
MXProxyServlet.java:264)
>>
>> 
at
org.apache.catalina.manager.JMXProxyServlet.invokeOperation(JMXProxyServ
let.java:207)
>> at
>> org.apache.catalina.manager.JMXProxyServlet.doGet(JMXProxyServlet.jav
a:116)
>>
>> 
at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) 
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:231)
>>
>> 
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:166)
>> at
>> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52
)
>>
>> 
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:193)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:166)
>>
>> 
at
com.arl.servlet.core.filters.AbstractRedirectFilter.doFilter(AbstractRed
irectFilter.java:250)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:193)
>>
>> 
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:166)
>> at
>> com.arl.servlet.core.filters.UrlRewriteFilter.doFilter(UrlRewriteFilt
er.java:356)
>>
>> 
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:193)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:166)
>>
>> 
at
com.arl.servlet.core.filters.SetCharacterEncodingFilter.doFilter(SetChar
acterEncodingFilter.java:128)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:193)
>>
>> 
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:166)
>> at
>> org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCh
aracterEncodingFilter.java:109)
>>
>> 
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:193)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:166)
>>
>> 
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:199)
>> at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextV
alve.java:96)
>>
>> 
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator
Base.java:610)
>> at
>> org.apache.catalina.valves.RequestFilterValve.process(RequestFilterVa
lve.java:348)
>>
>> 
at
org.apache.catalina.valves.RemoteAddrValve.invoke(RemoteAddrValve.java:5
2)
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
ava:137)
>>
>> 
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:81)
>> at
>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAcce
ssLogValve.java:660)
>>
>> 
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:87)
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
a:343)
>>
>> 
at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:79
8)
>> at
>> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLig
ht.java:66)
>>
>> 
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractPro
tocol.java:808)
>> at
>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpo
int.java:1498)
>>
>> 
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.j
ava:49)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
java:1149)
>>
>> 
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.ja
va:624)
>> at
>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskTh
read.java:61)
>>
>> 
at java.lang.Thread.run(Thread.java:748)
>> 
>> Is this command supposed to work in Tomcat 8.5.43? Is there a
>> 

Re: Tomcat manager keystore reload

[logo]

Hi Chris, 

I am also trying to figure this out and get to the same error. 

> Am 25.07.2019 um 17:53 schrieb Joseph Dornisch : 
> 
> Hello,
> 
> I have a CRL configured in my tomcat server configuration. If I update it
> and want to have Tomcat refresh it, I can login into
> https://127.0.0.1/manager/html and click the "Re-read" button under
> "Configuration->Re-read TLS configuration files" and this causes my CRL to
> be reread. It works great.
> 
> However,I have read here, "
> https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Encrypt%20Apache%20Tomcat.pdf"
> on page 34 you can do basically the same thing with a command something
> like:
> https://localhost/manager/jmxproxy?invoke=Catalina%3Atype%3DProtocolHandler%2Cport%3D8443%2Caddress%3D%22127.0.0.1%22=reloadSslHostConfigs
> 
> When I do this, I get back:
> 
> Error - java.lang.NullPointerException
> java.lang.NullPointerException
> at 
> org.apache.catalina.manager.JMXProxyServlet.invokeOperationInternal(JMXProxyServlet.java:264)
> at 
> org.apache.catalina.manager.JMXProxyServlet.invokeOperation(JMXProxyServlet.java:207)
> at org.apache.catalina.manager.JMXProxyServlet.doGet(JMXProxyServlet.java:116)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at 
> com.arl.servlet.core.filters.AbstractRedirectFilter.doFilter(AbstractRedirectFilter.java:250)
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at 
> com.arl.servlet.core.filters.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:356)
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at 
> com.arl.servlet.core.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:128)
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at 
> org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:109)
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
> at 
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
> at 
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610)
> at 
> org.apache.catalina.valves.RequestFilterValve.process(RequestFilterValve.java:348)
> at org.apache.catalina.valves.RemoteAddrValve.invoke(RemoteAddrValve.java:52)
> at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
> at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
> at 
> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:660)
> at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
> at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:798)
> at 
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
> at 
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)
> at 
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
> at 
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at 
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:748)
> 
> Is this command supposed to work in Tomcat 8.5.43? Is there a different
> command. Short of this, the only way to force reload without manual
> intervention seems to be to login to the manager from code, and then execute
> https://127.0.0.1/manager/html/sslReload?org.apache.catalina.filters.CSRF_NONCE=
> 
> 
> 

Re: Tomcat manager keystore reload

[Joseph Dornisch]

> Joseph,
>
> On 7/25/19 11:53, Joseph Dornisch wrote:
> > Hello,
> >
> > I have a CRL configured in my tomcat server configuration. If I
> > update it and want to have Tomcat refresh it, I can login into
> > https://127.0.0.1/manager/html and click the "Re-read" button
> > under "Configuration->Re-read TLS configuration files" and this
> > causes my CRL to be reread. It works great.
> >
> > However,I have read here, "
> > https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Encry
> pt%20Apache%20Tomcat.pdf"
> >
> >
> on page 34 you can do basically the same thing with a command something
> > like:
> > https://localhost/manager/jmxproxy?invoke=Catalina%3Atype%3DProtocolHa
> ndler%2Cport%3D8443%2Caddress%3D%22127.0.0.1%22=reloadSslHostConfigs
> >
> >  When I do this, I get back:
> >
> > Error - java.lang.NullPointerException
> > java.lang.NullPointerException at
> > org.apache.catalina.manager.JMXProxyServlet.invokeOperationInternal(JM
> XProxyServlet.java:264)
>
> What
> >
> is the port number and bind-address of your protocol handler?

Is this different than the web server. I directed it to use 443, as I am
running tomcat https out of 443. I also just specified the local machine
name. I think I tried a few things here. Is there a good way to look up
what these should be if they are different than how you access tomcat in
genera.?

>
> > Is this command supposed to work in Tomcat 8.5.43? Is there a
> > different command. Short of this, the only way to force reload
> > without manual intervention seems to be to login to the manager
> > from code, and then execute
> > https://127.0.0.1/manager/html/sslReload?org.apache.catalina.filters.C
> SRF_NONCE=
> >
> >
> 
>
> The URL you have above (if correct) is using the manager to do the
> same thing using the JMX proxy that you are doing with the manager GUI.

It's only incorrect in that I changed the 'NONCE' to text for the purpose
of hopefully making it more readable here. It does work to reload the
configuration (and specifically reread my CRL files).

>
> > I've seen that I might also write some code that Tomcat itself
> > would run periodically to refresh the SSL configuration. Could
> > anyone provide any ideas here?
>
> You can do it, but IMO it's better to trigger it externally, assuming
> that you are already deploying the manager app and the JMX proxy servlet

Apparently we might have security issues if we run the manager application
in production so right now I am planning on extending the Http11NioProtocol
class to periodically refresh as is done in:
https://serverfault.com/questions/328533/can-tomcat-reload-its-ssl-certificate-without-being-restarted

Thank you for responding Chris, if you have any additional advice, I'd be
very happy to read it. (or if anyone else wants to add advice, I'd be happy
to read that as well).
> .
>
> - -chris

Re: Tomcat manager keystore reload

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Joseph,

On 7/25/19 11:53, Joseph Dornisch wrote:
> Hello,
> 
> I have a CRL configured in my tomcat server configuration. If I
> update it and want to have Tomcat refresh it, I can login into 
> https://127.0.0.1/manager/html and click the "Re-read" button
> under "Configuration->Re-read TLS configuration files" and this
> causes my CRL to be reread. It works great.
> 
> However,I have read here, " 
> https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Encry
pt%20Apache%20Tomcat.pdf"
>
> 
on page 34 you can do basically the same thing with a command something
> like: 
> https://localhost/manager/jmxproxy?invoke=Catalina%3Atype%3DProtocolHa
ndler%2Cport%3D8443%2Caddress%3D%22127.0.0.1%22=reloadSslHostConfigs
>
>  When I do this, I get back:
> 
> Error - java.lang.NullPointerException 
> java.lang.NullPointerException at
> org.apache.catalina.manager.JMXProxyServlet.invokeOperationInternal(JM
XProxyServlet.java:264)

What
> 
is the port number and bind-address of your protocol handler?

> Is this command supposed to work in Tomcat 8.5.43? Is there a
> different command. Short of this, the only way to force reload
> without manual intervention seems to be to login to the manager
> from code, and then execute 
> https://127.0.0.1/manager/html/sslReload?org.apache.catalina.filters.C
SRF_NONCE=
>
> 


The URL you have above (if correct) is using the manager to do the
same thing using the JMX proxy that you are doing with the manager GUI.

> I've seen that I might also write some code that Tomcat itself
> would run periodically to refresh the SSL configuration. Could
> anyone provide any ideas here?

You can do it, but IMO it's better to trigger it externally, assuming
that you are already deploying the manager app and the JMX proxy servlet
.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl09JyoACgkQHPApP6U8
pFi15RAAxWEnktvq6OHH6VHj5zDfmsLXgxZubc0RpbrMmdGF09xbIrdBoqGd1OKI
t20fkIK8dBkz28Vb3MkXDBS9cYT8Z7qkMcf6R6fjsvwNfWw2P2rf+CNdz5kWz5jv
fnglCaGuoJMKTCZkfIrVt7I/1zfvXDrZWxZz109EzVmX4ouzHBby5icof7P7VM7n
8Wr21117VLRFq9CIPKaPNDROOkLX8kLUmpHqsBsK7srF7EJehd7FVlgidIHDxsq/
t5R8tAzCSBWBkOdCa86JcR+2cRxaqUHpEZqWyDEm1LwbJ+fa9AB1maU47bGUfZX5
Xkc1ow9OZ+DMPEj/6zhwOwG6mpMXOTpAm3GHcrH6kbMQLfzjRio/b0f0KxEq/BfB
LsJb8qyhSs16Jf0k9vLgsQBaX2LBZCaGY1ywMXItPTUnpgJ5eN9M8G931TFWPlBU
M5AFlmgOic5qwXijPKNd3T7RWPKIjdn0EzExCOwK4jYkP57vMyPhfFqn+SL+4rku
2frYBKZYbwLHci1dUNzGb0m8JGVaJCg96CSxu6pYc7dzkP2YdxYgQLMw8D/U9j+m
i26wEiedmJvFIsg7wlMoa4VudLqsEDL3HyeisHwTu4mRa7ONjU4XUOIDmNaJFBvG
skQTLqEkfEAL/dMEN8STsXU38r2MWjHnCqllryUokIfPAG40SPA=
=sTqX
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat manager keystore reload

[Joseph Dornisch]

Hello,

I have a CRL configured in my tomcat server configuration. If I update it
and want to have Tomcat refresh it, I can login into
https://127.0.0.1/manager/html and click the "Re-read" button under
"Configuration->Re-read TLS configuration files" and this causes my CRL to
be reread. It works great.

However,I have read here, "
https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Encrypt%20Apache%20Tomcat.pdf"
on page 34 you can do basically the same thing with a command something
like:
https://localhost/manager/jmxproxy?invoke=Catalina%3Atype%3DProtocolHandler%2Cport%3D8443%2Caddress%3D%22127.0.0.1%22=reloadSslHostConfigs

When I do this, I get back:

Error - java.lang.NullPointerException
java.lang.NullPointerException
at 
org.apache.catalina.manager.JMXProxyServlet.invokeOperationInternal(JMXProxyServlet.java:264)
at 
org.apache.catalina.manager.JMXProxyServlet.invokeOperation(JMXProxyServlet.java:207)
at 
org.apache.catalina.manager.JMXProxyServlet.doGet(JMXProxyServlet.java:116)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
com.arl.servlet.core.filters.AbstractRedirectFilter.doFilter(AbstractRedirectFilter.java:250)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
com.arl.servlet.core.filters.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:356)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
com.arl.servlet.core.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:128)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:109)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610)
at 
org.apache.catalina.valves.RequestFilterValve.process(RequestFilterValve.java:348)
at 
org.apache.catalina.valves.RemoteAddrValve.invoke(RemoteAddrValve.java:52)
at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at 
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:660)
at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at 
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:798)
at 
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at 
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)
at 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
at 
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)

Is this command supposed to work in Tomcat 8.5.43? Is there a different
command. Short of this, the only way to force reload without manual
intervention seems to be to login to the manager from code, and then execute
https://127.0.0.1/manager/html/sslReload?org.apache.catalina.filters.CSRF_NONCE=