On 8/6/20 10:10 AM, Christopher Schultz wrote:
$ openssl pkcs12 -export \ -in /etc/tomcat8/test.foo.net.crt \
-inkey /etc/tomcat8/test.foo.net.key \ -certfile
/etc/tomcat8/test.foo.net.issuer.crt \ -out
/etc/tomcat8/test.foo.net.p12 \ -chain
Then reconfigure your <Certificate> to use your keystore.
Dear Mr. Schultz (et al):
It was a bit of a challenge to find out how to use a PKCS12 keystore in
the Certificate clause, but not that difficult. And the "-chain" was not
necessary.
At any rate, congratulations, you have just cut my proverbial Gordian knot!
In my case, there's obviously no need for the
curl https://localhost/manager/jmxproxy?invoke=Catalina%3Atype
%3DProtocolHandler%2Cport%3D8443%2Caddress%3D
%22127.0.0.1%22&op=reloadSslHostConfigs
in my renewal script, as given in your presentation, because it's
already necessary to shut down Tomcat for the renewal: the known-good
procedure for getting a Let's Encrypt on an Amazon Linux (not "2")
instance with a Bitnami Trac/SVN stack uses Lego, rather than Certbot,
and Lego needs to take over all the ports in order to do its magic
(probably why Lego is not as popular as Certbot).
And likewise, since I'm generating a PKCS12 keystore, rather than using
the certificate and key files directly, I was able to cut out making
local copies of those files, and just reference the ones that Lego put
in /opt/trac-1.2.3-11/letsencrypt/certificates/ directly.
--
James H. H. Lampert
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
