-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Peter,
On 12/27/19 07:24, logo wrote: > Hi James, > > Am 2019-12-27 05:31, schrieb Igal Sapir: >> James, >> >> On Thu, Dec 26, 2019 at 4:49 PM James H. H. Lampert < >> jam...@touchtonecorp.com> wrote: >> >>> We have a Tomcat (8.5.40) server running on an Amazon EC2 >>> instance, currently using a Java Keystore for the SSL support. >>> >>> We would like to be able to use Let's Encrypt, but I've learned >>> that Let's Encrypt and Tomcat don't get along all that well >>> together. The best I've found so far are article at: >>> >>> < >>> https://medium.com/@raupach/how-to-install-lets-encrypt-with-tomcat- 3db8a469e3d2 >>> >>> >>> > >>> >>> and this thread in the Let's Encrypt community forum: >>> >>> < >>> https://community.letsencrypt.org/t/how-can-i-automate-renewals-with - -tomcat/81423 >>> >>> >>> > >>> >>> Does anybody here have any experience with situations like >>> this? Does anybody here have any suggestions? Or, as another >>> alternative, does anybody here know of some Amazon AWS product >>> that could front-end a single-box, non-load-balanced Tomcat >>> server, and use Amazon's free "Public Certificates"? (I've >>> already posted that last to the relevant Amazon forum.) >>> >> >> You should check out Chris' presentations on the topic. He >> outlines a very efficient process. There is probably more >> materials out there, but a quick search brings up the video [1] >> and slides [2] from his presentation at ApacheCon earlier this >> year, as well as his shell script for automating the process. >> >> Igal >> >> [1] https://www.youtube.com/watch?v=BWUjvmJgSeE [2] >> <https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Enc rypt%20Apache%20Tomcat.pdf> >> >> >> https://people.apache.org/~schultz/ApacheCon%20NA%202019/Let's%20Encrypt %20Apache%20Tomcat.pdf >> >> [3] >> https://people.apache.org/~schultz/ApacheCon%20NA%202019/lets-encrypt - -renew.sh >> >> >> > >> +1 > > Currently the script is broken Really? > , as there is a bug in the JMX implementation of Tomcat 8.5 that > is fixed from 8.5.51. Can you explain? I'll fix the script if there is something missing. I *do* have to make the conversion from PEM -> PKCS12 optional. keystores just suck. > Once that is released it is really easy to automate the letsencrypt > acme process with [3]. > > Tomcat 8.5 brings a new way to configure certificates [4]. You can > use pem encoded certs even in the JSSE implementation. So you can > just save/copy the certs from LE to your certificate directory (in > my case ${catalina.base}/conf/ssl): > > <Certificate > certificateKeyFile="${catalina.base}/conf/ssl/privkey.pem" > certificateFile="${catalina.base}/conf/ssl/cert.pem" > > certificateChainFile="${catalina.base}/conf/ssl/chain.pem" > type="RSA" /> > > After certbot has finished, reload the SSL config for the updated > Host through the jmxproxy and you are done. That's the plan. In Las Vegas, Christopher Tubbs did say to me "aw, I was really hoping for you to tell us that you just set letsEncrypt="true" in your configuration and you are done". So there is definitely more that can be done, here. The plan was to try to get someone to integrate my script (or equivalent) into certbot or other ACME clients. Maybe what we really need is a command that can be run that "gracefully" restarts the server -- like httpd already does. There is no reason to actually restart the server -- just reinitialize the TLS engine for the connector. So maybe what we need is a script that basically just hits the jmxproxy to reinit the connector and tell certbot to use that when it's done with the ACME stuff. I don't think it's necessary to build ACME into Tomcat itself when tools like certbot already exist for that purpose, and admins will be more familiar with those than some server-specific configuration. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4GJeMACgkQHPApP6U8 pFj6gA/+NS5ZO6IJZ8W8/XT7usLq8wG+B0VuRFGzPhERam0XqBFEe59AvW+LXpIa ChUy/eZYkrtGmRX7ZhSr/njD3mEhp+3R2XVgM91kPg4WWIkpAeLixuJOaoqn5QZU jDr9sWpe190i2RI/OKlki/ADJ6oEemJsF3HElW4YcSYtWnqgmjAzncCJDJd3xvrq bCskiXd4ru7Afg0T0hv/B8B62W5DgtuvB0GqmTsQBElZ9cTpGMJFJFH3WUfVBwZV jpE/X/jmArYnU/lJIf22of8+zZgCYxEDGmiNGhZxPMh+A8lkn71fyfXJ3ZojijIm p29KSSWJX0GPcJpIq7xxs4tmvmehIErjxPyacTcGwEhhY0TCKA7aGnh8yrVrFJcs Tvz/2CmPvDva37/d32Knv9mv+Niw2ia8TGD6SFmaxmlNLxWR9nB9i+VobYdeQeCL xOvksLYZluhLcvTpKgxutv+S7utt+i5QuuvjphWxzT5ro0x6ZBMuPGBdhFHzo4M2 bVljArD183gM46navyBk9xHxjaTHckGu5dramqyUYYvlG4HwGdvLk2CP780DT/Ik Ntacf1O3KIDUyDqKxZepSeqExWuBZc1hco08lsk+un1kF3uFIQlspCwz/8laErh5 eQZs2Yf8GCksO0piXX1Ojo7nbG4vjuh+kwotkIcxUl2Ww/jnerE= =L67K -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
