> Joseph, > > On 7/25/19 11:53, Joseph Dornisch wrote: > > Hello, > > > > I have a CRL configured in my tomcat server configuration. If I > > update it and want to have Tomcat refresh it, I can login into > > https://127.0.0.1/manager/html and click the "Re-read" button > > under "Configuration->Re-read TLS configuration files" and this > > causes my CRL to be reread. It works great. > > > > However,I have read here, " > > https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Encry > pt%20Apache%20Tomcat.pdf" > > > > > on page 34 you can do basically the same thing with a command something > > like: > > https://localhost/manager/jmxproxy?invoke=Catalina%3Atype%3DProtocolHa > ndler%2Cport%3D8443%2Caddress%3D%22127.0.0.1%22&op=reloadSslHostConfigs > > > > When I do this, I get back: > > > > Error - java.lang.NullPointerException > > java.lang.NullPointerException at > > org.apache.catalina.manager.JMXProxyServlet.invokeOperationInternal(JM > XProxyServlet.java:264) > > What > > > is the port number and bind-address of your protocol handler?
Is this different than the web server. I directed it to use 443, as I am running tomcat https out of 443. I also just specified the local machine name. I think I tried a few things here. Is there a good way to look up what these should be if they are different than how you access tomcat in genera.? > > > Is this command supposed to work in Tomcat 8.5.43? Is there a > > different command. Short of this, the only way to force reload > > without manual intervention seems to be to login to the manager > > from code, and then execute > > https://127.0.0.1/manager/html/sslReload?org.apache.catalina.filters.C > SRF_NONCE= > > > > > <nonce_value_from_established_session> > > The URL you have above (if correct) is using the manager to do the > same thing using the JMX proxy that you are doing with the manager GUI. It's only incorrect in that I changed the 'NONCE' to text for the purpose of hopefully making it more readable here. It does work to reload the configuration (and specifically reread my CRL files). > > > I've seen that I might also write some code that Tomcat itself > > would run periodically to refresh the SSL configuration. Could > > anyone provide any ideas here? > > You can do it, but IMO it's better to trigger it externally, assuming > that you are already deploying the manager app and the JMX proxy servlet Apparently we might have security issues if we run the manager application in production so right now I am planning on extending the Http11NioProtocol class to periodically refresh as is done in: https://serverfault.com/questions/328533/can-tomcat-reload-its-ssl-certificate-without-being-restarted Thank you for responding Chris, if you have any additional advice, I'd be very happy to read it. (or if anyone else wants to add advice, I'd be happy to read that as well). > . > > - -chris
