Jerry,
On 12/28/20 13:56, Jerry Malcolm wrote:
Thanks for the info. I'll try to figure out a way to integrate this.
The problem is that I don't really know when the certs get regen'd. I
have a daily cron job that calls certbot to renew. But it only renews
when it decides it's time to renew. TC is so good about monitoring
other folders for changes such as war files, jar files, etc and
automatically refreshing when it detects a file update. I was just
hoping that there was something buried inside TC that I had missed that
tells TC to monitor the certs and refresh if the certs are updated.
Check out this presentation which includes scripts for this kind of
thing. It shows how to detect that the LE key+cert have been actually
updated. It also shows how to re-package those PEM files as a PKCS12
keystore (or JKS if you like that kind of thing) and how to trigger a
reload of the TLS configuration (including the keys + certificates).
https://tomcat.apache.org/presentations.html#latest-lets-encrypt
-chris
On 12/28/2020 4:12 AM, logo wrote:
Jerry,
the quotes were messed up.
See the correct command below inline.
Am 28.12.2020 um 11:10 schrieb logo <l...@kreuser.name>:
Jerry,
Try this after regenerating the LE certs
curl -u <user>
"https://localhost:8443/manager/jmxproxy?invoke=Catalina:type=ProtocolHandler,port=8443&op=reloadSslHostConfigs
<https://localhost:8443/manager/jmxproxy?invoke=Catalina:type=ProtocolHandler,port=8443&op=reloadSslHostConfigs>"
for all domains or
curl -u <user>
"https://localhost:8443/manager/jmxproxy?invoke=Catalina:type=ProtocolHandler,port=8443&op=reloadSslHostConfig&ps=<domain
to reload>"
for just the needed domain.
Adjust the port to your SSL-Connector.
Add a <user> to tomcat-users.xml
<user username="<user>" password="<passwd>" roles="manager-jmx"/>
Beware not to open the Manager App to the public - just localhost.
HTH
Peter
Am 26.12.2020 um 18:42 schrieb Jerry Malcolm <techst...@malcolms.com>:
We have a production environment where we rarely reboot Tomcat.
LetsEncrypt auto-updates the certificates every couple of months.
But the new certificates are not loaded into Tomcat. So when the
original expiration date of the certs arrives, users get
"certificate expired" even though new certs exist. A simple reboot
to load the new certs fixes it. But we want to avoid reboots. Are
there any config parameters that tell TC to check for cert updates
and reload the new certs? Thx
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
