-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Paul,
On 1/4/18 12:50 AM, Paul Beard wrote: > > >> On Jan 3, 2018, at 11:33 AM, Christopher Schultz >> <ch...@christopherschultz.net> wrote: >> >> In there, I detail how to put everything together. There is a >> script that builds a Java keystore that Tomcat can use. That >> script demonstrates how to take an existing >> key+certificate+chain, convert it into a Java keystore and then >> make it active. The script actually requests a renewal of the >> certificate from Let's Encrypt (which may say "no renewal >> required") and then only re-builds the keystore if the key/cert >> have actually changed. > > This looks great but I suspect my problems are more basic, like > getting *any* cert to be honored, even a self-signed one. Were you able to get Let's Encrypt to generate a key and LE-signed certificate? If not, that's obviously the first step. You don't need TLS working in order to get an LE-signed certificate. Slide #20 has the command you need to run in order to get an initial certificate. Slides 16-19 cover the iptables routing required to allow LE to connect over port 80/443 when Tomcat is binding to port 8080/8443. > This step — <Connector port=”8443” keystoreFile=”conf/keystore.jks” > ... /> — eludes me. I added that to an existing Connector stanza > but I am seeing these errors which suggests (?) I did that wrong: > > SEVERE: Failed to initialize end point associated with > ProtocolHandler ["http-bio-8443"] java.io.IOException: Keystore was > tampered with, or password was incorrect Slides 21 - 24 cover my investigation for how to replace Tomcat's keystore while it's running in a safe-ish way. The presentation was a bit of an explanation for how I was able to ultimately build the final script. You don't have do perform every step in the presentation. What you really want to do is look at slide #28 which has the overview of the process *after* you have the first cert from LE. So, assuming you have it, you can basically use my script directly. > <Connector port="8443" > protocol="org.apache.coyote.http11.Http11Protocol" > keystoreFile="conf/keystore.jks" keystorePass="qwerty" > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" /> I'd recommend that you use NIO. I'd also recommend that you upgrade from Tomcat 7.0.x to Tomcat 8.5.x if possible. It already handled dynamic reloading of TLS configuration so you won't need any (albeit short) unavailability of your Tomcat instance. > But that seems outside the scope of what I was asking. I’ll take > another look tomorrow…took entirely too long to get the symlink > step to word as expected. Had to change to the conf directory for > it to work. Too late in the day for this to make any sense. :) > Thanks for the presentation. I’m sure it will make sense to me > eventually. Mark pointed to the Tomcat "presentations" page where you can find a link to this LE/Tomcat presentation as well as the audio my presentation of these slides at ApacheCon in Miami last year. Perhaps the audio will give you more information than is actually contained in the slides. Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpOSTIdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgqjBAAyHiPpPlRwEUbfGoq NlPv7icn4y9IrZTQfiCh4kZYP9KeloA9A9Eqi0+NaifApTrnsi6QdS3Ry1ttX9Yg gX7MWD18smBmZvG4BwQY3KXzb+mOZHuJx+3QKrbFBNw++vOS332igyw26pymMEVd vxmYAnf3m3BddMYL3+Gv4QEPbv9LE9vU3b41xxYQ//Pdf4yhkoMTssX2QpSn6Bt2 CL3RGB5lcckIsCUaTS75z/7YHjollodYrOBWc87BruiBg6Wxpq0B6qXmWGuMEI9Q Di8rm+sM+E8OJgkQKH9TNtepENVcindw36G+C2mjOhg6Ss+talhs4xOxCBuwoJyM m0I3A/7kmk+Zenmm5EVxOT93aZ5N76lElTNzDgxn4gQ+8uQbROoYDHNTzYxJ2E01 HDLmDR9SCnhaSiK5kHH90/JYvXvnOZNXYfTpvTjUGIx1tYRr+VJl9uDFFw2XWz2Q iJQS/TPR88SPxrmjvnzk/DFQ/AEPxDRrpiCJurIlD+msHeDLHXkt8Ph5zXkXdCJX n2kDkd7cOc0Q8b1Pr0j4/IhxeHkxy8tipXNsQraDOc9xdndPYDlJY1X5uh6rKs2G te6tNdYOfP7PB5W+bdDbt0AqQVjLb+IUhFXwUWDAo+q/QWQEiyaXXaU3mEB6Tctv 95WdGIZUyK4cUVDqvnIrNURAfRs= =2lUy -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org