Chris,
Am 2019-12-27 16:40, schrieb Christopher Schultz:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Peter,
On 12/27/19 07:24, logo wrote:
Hi James,
Am 2019-12-27 05:31, schrieb Igal Sapir:
James,
On Thu, Dec 26, 2019 at 4:49 PM James H. H. Lampert <
jam...@touchtonecorp.com> wrote:
We have a Tomcat (8.5.40) server running on an Amazon EC2
instance, currently using a Java Keystore for the SSL support.
We would like to be able to use Let's Encrypt, but I've learned
that Let's Encrypt and Tomcat don't get along all that well
together. The best I've found so far are article at:
<
https://medium.com/@raupach/how-to-install-lets-encrypt-with-tomcat-
3db8a469e3d2
and this thread in the Let's Encrypt community forum:
<
https://community.letsencrypt.org/t/how-can-i-automate-renewals-with
- -tomcat/81423
Does anybody here have any experience with situations like
this? Does anybody here have any suggestions? Or, as another
alternative, does anybody here know of some Amazon AWS product
that could front-end a single-box, non-load-balanced Tomcat
server, and use Amazon's free "Public Certificates"? (I've
already posted that last to the relevant Amazon forum.)
You should check out Chris' presentations on the topic. He
outlines a very efficient process. There is probably more
materials out there, but a quick search brings up the video [1]
and slides [2] from his presentation at ApacheCon earlier this
year, as well as his shell script for automating the process.
Igal
[1] https://www.youtube.com/watch?v=BWUjvmJgSeE [2]
<https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Enc
rypt%20Apache%20Tomcat.pdf>
https://people.apache.org/~schultz/ApacheCon%20NA%202019/Let's%20Encrypt
%20Apache%20Tomcat.pdf
[3]
https://people.apache.org/~schultz/ApacheCon%20NA%202019/lets-encrypt
- -renew.sh
+1
Currently the script is broken
Really?
, as there is a bug in the JMX implementation of Tomcat 8.5 that
is fixed from 8.5.51.
Can you explain? I'll fix the script if there is something missing. I
*do* have to make the conversion from PEM -> PKCS12 optional.
keystores just suck.
well not really the script. I should say explicitly it will not work on
8.5 as JMX reloadSSLConfigs is broken. See:
https://markmail.org/thread/renoatnedduquebm
Mark already fixed it for 8.5.51.
Once that is released it is really easy to automate the letsencrypt
acme process with [3].
Tomcat 8.5 brings a new way to configure certificates [4]. You can
use pem encoded certs even in the JSSE implementation. So you can
just save/copy the certs from LE to your certificate directory (in
my case ${catalina.base}/conf/ssl):
<Certificate
certificateKeyFile="${catalina.base}/conf/ssl/privkey.pem"
certificateFile="${catalina.base}/conf/ssl/cert.pem"
certificateChainFile="${catalina.base}/conf/ssl/chain.pem"
type="RSA" />
After certbot has finished, reload the SSL config for the updated
Host through the jmxproxy and you are done.
That's the plan. In Las Vegas, Christopher Tubbs did say to me "aw, I
was really hoping for you to tell us that you just set
letsEncrypt="true" in your configuration and you are done". So there
is definitely more that can be done, here.
The plan was to try to get someone to integrate my script (or
equivalent) into certbot or other ACME clients. Maybe what we really
need is a command that can be run that "gracefully" restarts the
server -- like httpd already does. There is no reason to actually
restart the server -- just reinitialize the TLS engine for the
connector. So maybe what we need is a script that basically just hits
the jmxproxy to reinit the connector and tell certbot to use that when
it's done with the ACME stuff.
oh I get the idea! a hook-script, right?
Like the 2nd part of your script. well specifically it could reload only
the SSLHostConfig affected by this new cert
curl
"https:/$JMXUSER:$JMXPASSWORD@localhost:${SERVICE_PORT}/manager/jmxproxy?invoke=Catalina:type=ProtocolHandler,port={CONNECTOR_PORT}&op=reloadSslHostConfig&ps=${HOSTNAME}"
Or did you think about a bin/version.sh type script? That would get a +1
from me. What I don't like is, that one needs to add credentials in
tomcat-users.xml and expose the manager-interface.
I don't think it's necessary to build ACME into Tomcat itself when
tools like certbot already exist for that purpose, and admins will be
more familiar with those than some server-specific configuration.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4GJeMACgkQHPApP6U8
pFj6gA/+NS5ZO6IJZ8W8/XT7usLq8wG+B0VuRFGzPhERam0XqBFEe59AvW+LXpIa
ChUy/eZYkrtGmRX7ZhSr/njD3mEhp+3R2XVgM91kPg4WWIkpAeLixuJOaoqn5QZU
jDr9sWpe190i2RI/OKlki/ADJ6oEemJsF3HElW4YcSYtWnqgmjAzncCJDJd3xvrq
bCskiXd4ru7Afg0T0hv/B8B62W5DgtuvB0GqmTsQBElZ9cTpGMJFJFH3WUfVBwZV
jpE/X/jmArYnU/lJIf22of8+zZgCYxEDGmiNGhZxPMh+A8lkn71fyfXJ3ZojijIm
p29KSSWJX0GPcJpIq7xxs4tmvmehIErjxPyacTcGwEhhY0TCKA7aGnh8yrVrFJcs
Tvz/2CmPvDva37/d32Knv9mv+Niw2ia8TGD6SFmaxmlNLxWR9nB9i+VobYdeQeCL
xOvksLYZluhLcvTpKgxutv+S7utt+i5QuuvjphWxzT5ro0x6ZBMuPGBdhFHzo4M2
bVljArD183gM46navyBk9xHxjaTHckGu5dramqyUYYvlG4HwGdvLk2CP780DT/Ik
Ntacf1O3KIDUyDqKxZepSeqExWuBZc1hco08lsk+un1kF3uFIQlspCwz/8laErh5
eQZs2Yf8GCksO0piXX1Ojo7nbG4vjuh+kwotkIcxUl2Ww/jnerE=
=L67K
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
