You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Chris Cheshire <ya...@gmail.com> on 2017/08/24 18:50:40 UTC
letsencrypt integration?
Currently I am using httpd to handle SSL (because my certs are generated
via LE) with all content being passed off to Tomcat 7 (investigating 8.5
upgrade).
I had a poke around on the archives and found mention of a talk on it in a
conference in Miami.
http://tomcat.10.x6.nabble.com/Dynamic-reloading-of-SSL-certificates-tt5059619.html#a5059673
Did this happen? I looked in the Tomcat youtube channel and found a handful
of videos from there, but nothing on LE. Is it something that is still in
the "we'd like to find time to do it, but don't know who or when" phase, or
something that is being worked on for Tomcat 9?
Re: letsencrypt integration?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Chris,
On 8/24/17 5:14 PM, Chris Cheshire wrote:
> On Thu, Aug 24, 2017 at 4:29 PM, Christopher Schultz
> <ch...@christopherschultz.net> wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>
>> Chris,
>>
>> On 8/24/17 4:03 PM, Chris Cheshire wrote:
>>> Cheers :)
>>>
>>> On Thu, Aug 24, 2017 at 3:35 PM, Mark Thomas
>>> <ma...@apache.org> wrote:
>>>
>>>> On 24/08/17 19:50, Chris Cheshire wrote:
>>>>> Currently I am using httpd to handle SSL (because my certs
>>>>> are generated via LE) with all content being passed off to
>>>>> Tomcat 7 (investigating 8.5 upgrade).
>>>>>
>>>>> I had a poke around on the archives and found mention of a
>>>>> talk on it in
>>>> a
>>>>> conference in Miami.
>>>>>
>>>>> http://tomcat.10.x6.nabble.com/Dynamic-reloading-of-SSL-
>>>> certificates-tt5059619.html#a5059673
>>>>>
>>>>> Did this happen? I looked in the Tomcat youtube channel
>>>>> and found a
>>>> handful
>>>>> of videos from there, but nothing on LE. Is it something
>>>>> that is still in the "we'd like to find time to do it, but
>>>>> don't know who or when" phase,
>>>> or
>>>>> something that is being worked on for Tomcat 9?
>>>>
>>>> We only had video for the final day in Miami. But we have
>>>> audio for the others.
>>>>
>>>> http://tomcat.apache.org/presentations.html
>>
>> There are two items here:
>>
>> 1. Can Tomcat be configured and scripted for LE (pretty easy) 2.
>> Tomcat can (with caveats) reload the certificate store
>>
>> I have not made any progress on #2. The Tomcat/LE presentation in
>> the above link mentions we'll be trying to implement seamless
>> reloading, but it's not done, yet. The presentation shows you how
>> to reload it in a potentially disruptive way (because the
>> connector is stopped and re-started, killing any in-flight
>> requests).
>>
>> So it's not great, but it IS possible.
>>
>> - -chris
>
>
> Just finished listening to your audio and following the slides.
> Thank you for making these available.
>
> Tomcat 9.0 supports .pem files, correct? What about 8.5? (I am
> still using 7 and working on upgrading).
Both 8.5 and 9.0 support using PEM files.
> With this support, does this mean we would just reference the
> files certbot produces without repackaging them into a JKS?
Yes, but the connector will still need to be bounced, of course.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZoCEsAAoJEBzwKT+lPKRYt3UP/iBkVaDo8qfI4TqPeB1cq1tV
MjbqnLeFqtkHeByicwHuVmMHMpqlvLqYpvBfMMlCwWbr6bzMAaCrjNz7i9ggROua
ZJ1n/Dhu5evgjtE3/Dm1m6byzXTM+my4kfKEEBamUn61YZsJOoIzTEOxi8MXebYd
9DATZLxNsB5k7zManvjQIhwxr64XLUyqFIMRwgr/XpIW6II69Up/4piyyXc5xO5s
xy0zQ2J82Tk6ZLEa9LWYhN6C7OtqJacoaK+ae7Yo7YSEj2JsG6wMSHAHOdnPbIzE
BOhBG10/6J+VkPTKSceB9wdOVZ1UssFeeqyVPJHjOrnyKRGqhz8m/WfSfll57SrJ
EysBBiIm+TBbBZtnNgsYJI55k62lTZrShixbYFJ2uyii7f2yWO9K28rd8Xq8hP0v
QBBVQ704WiC87E1A34puAi05Am3GR/5q+a92HM2XJ46fhefe85nxX0o3h8gx76ip
91o6R8xUlbycrLtBk9vFN4OL/qM0DhUUrLSO9hldaAWleMvJFM2L/T33VtZ14ZpV
9eMgNc5kDhZeuQnCRiYVBnH2Po5EsIqsXJImxGzp5ODYxZTZtgzzSUOs8FFOlp/s
fIZAq9EdCzboMMRed35Bfw2eRvu8AzpCqA7bBl7K6tY3qiacNR8oApJS5+MQI+xb
laR2kupqCZjFX3VrOCtu
=qjBm
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: letsencrypt integration?
Posted by Chris Cheshire <ya...@gmail.com>.
On Thu, Aug 24, 2017 at 4:29 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Chris,
>
> On 8/24/17 4:03 PM, Chris Cheshire wrote:
> > Cheers :)
> >
> > On Thu, Aug 24, 2017 at 3:35 PM, Mark Thomas <ma...@apache.org>
> > wrote:
> >
> >> On 24/08/17 19:50, Chris Cheshire wrote:
> >>> Currently I am using httpd to handle SSL (because my certs are
> >>> generated via LE) with all content being passed off to Tomcat 7
> >>> (investigating 8.5 upgrade).
> >>>
> >>> I had a poke around on the archives and found mention of a talk
> >>> on it in
> >> a
> >>> conference in Miami.
> >>>
> >>> http://tomcat.10.x6.nabble.com/Dynamic-reloading-of-SSL-
> >> certificates-tt5059619.html#a5059673
> >>>
> >>> Did this happen? I looked in the Tomcat youtube channel and
> >>> found a
> >> handful
> >>> of videos from there, but nothing on LE. Is it something that
> >>> is still in the "we'd like to find time to do it, but don't
> >>> know who or when" phase,
> >> or
> >>> something that is being worked on for Tomcat 9?
> >>
> >> We only had video for the final day in Miami. But we have audio
> >> for the others.
> >>
> >> http://tomcat.apache.org/presentations.html
>
> There are two items here:
>
> 1. Can Tomcat be configured and scripted for LE (pretty easy)
> 2. Tomcat can (with caveats) reload the certificate store
>
> I have not made any progress on #2. The Tomcat/LE presentation in the
> above link mentions we'll be trying to implement seamless reloading,
> but it's not done, yet. The presentation shows you how to reload it in
> a potentially disruptive way (because the connector is stopped and
> re-started, killing any in-flight requests).
>
> So it's not great, but it IS possible.
>
> - -chris
Just finished listening to your audio and following the slides. Thank
you for making these available.
Tomcat 9.0 supports .pem files, correct? What about 8.5? (I am still
using 7 and working on upgrading). With this support, does this mean
we would just reference the files certbot produces without repackaging
them into a JKS?
Chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: letsencrypt integration?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Chris,
On 8/24/17 4:03 PM, Chris Cheshire wrote:
> Cheers :)
>
> On Thu, Aug 24, 2017 at 3:35 PM, Mark Thomas <ma...@apache.org>
> wrote:
>
>> On 24/08/17 19:50, Chris Cheshire wrote:
>>> Currently I am using httpd to handle SSL (because my certs are
>>> generated via LE) with all content being passed off to Tomcat 7
>>> (investigating 8.5 upgrade).
>>>
>>> I had a poke around on the archives and found mention of a talk
>>> on it in
>> a
>>> conference in Miami.
>>>
>>> http://tomcat.10.x6.nabble.com/Dynamic-reloading-of-SSL-
>> certificates-tt5059619.html#a5059673
>>>
>>> Did this happen? I looked in the Tomcat youtube channel and
>>> found a
>> handful
>>> of videos from there, but nothing on LE. Is it something that
>>> is still in the "we'd like to find time to do it, but don't
>>> know who or when" phase,
>> or
>>> something that is being worked on for Tomcat 9?
>>
>> We only had video for the final day in Miami. But we have audio
>> for the others.
>>
>> http://tomcat.apache.org/presentations.html
There are two items here:
1. Can Tomcat be configured and scripted for LE (pretty easy)
2. Tomcat can (with caveats) reload the certificate store
I have not made any progress on #2. The Tomcat/LE presentation in the
above link mentions we'll be trying to implement seamless reloading,
but it's not done, yet. The presentation shows you how to reload it in
a potentially disruptive way (because the connector is stopped and
re-started, killing any in-flight requests).
So it's not great, but it IS possible.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZnzcTAAoJEBzwKT+lPKRYfWYQALNPjuHyvxRFXucEfRAWiPNH
XhLlu5cA2l0Cc5ZrvgwWbws4Ljyg7OSaE3xPI3hUSL6k4PT92KQpNnq7zJXNVOqc
zr/vD51KpvXxWJMJKIN2xWvGqdTLY2PsMPIn3LvG+QwC11iD4c+EC0dsMyDJR58/
wd5twkH8Hx+ucGugodkC7uVlgAr5K7xdmRGVBiUgACIzBEfuwyi/CsaQG6fzWPWa
KVUDxcpgP1lIe3k+8EbuD2lEwtaH8wprLr9J58bjclrbB+XNwP/hmJgLQUnG4rkp
s824HwNbn+zVE8rTPOQHgh51nhC0lFgo+QCrIKffE7Z6IkIKpTlugrCoA3TO6l4p
pQOC72FcDP2vR0oNTT7CipCcvNEqqTnANuowAV6EK3ObFGtdwYI7LSJ4heVBRqet
8AJCiGXypw84SDVFOOC479vZjzMtIAQUgr0kTTIck/TTp/Rd7Y9Qgf+BqxOFw4oL
dcOp1Ndx8aYEuX8SON2BSw/Il79v5CH/p9f4IkC7untScu2piI65GmFCXUqKA46h
kVpIF+7hCz88A4B/XQOMyUuhW5uiAb/OXxWWgSkxlyU9QaVwe3gNy5Nzka+RfMB1
W9Z3C8nsjz3O3D/GNPyqLdFn3QsCTq6U4Tu0XraJLe/jGMjzmkzva7Zhie2PXEyl
6u06+djW9i8p9OmO5GEo
=ZQlB
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: letsencrypt integration?
Posted by Chris Cheshire <ya...@gmail.com>.
Cheers :)
On Thu, Aug 24, 2017 at 3:35 PM, Mark Thomas <ma...@apache.org> wrote:
> On 24/08/17 19:50, Chris Cheshire wrote:
> > Currently I am using httpd to handle SSL (because my certs are generated
> > via LE) with all content being passed off to Tomcat 7 (investigating 8.5
> > upgrade).
> >
> > I had a poke around on the archives and found mention of a talk on it in
> a
> > conference in Miami.
> >
> > http://tomcat.10.x6.nabble.com/Dynamic-reloading-of-SSL-
> certificates-tt5059619.html#a5059673
> >
> > Did this happen? I looked in the Tomcat youtube channel and found a
> handful
> > of videos from there, but nothing on LE. Is it something that is still in
> > the "we'd like to find time to do it, but don't know who or when" phase,
> or
> > something that is being worked on for Tomcat 9?
>
> We only had video for the final day in Miami. But we have audio for the
> others.
>
> http://tomcat.apache.org/presentations.html
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: letsencrypt integration?
Posted by Mark Thomas <ma...@apache.org>.
On 24/08/17 19:50, Chris Cheshire wrote:
> Currently I am using httpd to handle SSL (because my certs are generated
> via LE) with all content being passed off to Tomcat 7 (investigating 8.5
> upgrade).
>
> I had a poke around on the archives and found mention of a talk on it in a
> conference in Miami.
>
> http://tomcat.10.x6.nabble.com/Dynamic-reloading-of-SSL-certificates-tt5059619.html#a5059673
>
> Did this happen? I looked in the Tomcat youtube channel and found a handful
> of videos from there, but nothing on LE. Is it something that is still in
> the "we'd like to find time to do it, but don't know who or when" phase, or
> something that is being worked on for Tomcat 9?
We only had video for the final day in Miami. But we have audio for the
others.
http://tomcat.apache.org/presentations.html
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: letsencrypt integration?
Posted by Martynas Jusevičius <ma...@atomgraph.com>.
Hi,
we have made a Docker image that configures Tomcat with LE certs:
https://hub.docker.com/r/atomgraph/letsencrypt-tomcat/
It hasn't been tested in production though.
Martynas
atomgraph.com
On Thu, 24 Aug 2017 at 20.50, Chris Cheshire <ya...@gmail.com> wrote:
> Currently I am using httpd to handle SSL (because my certs are generated
> via LE) with all content being passed off to Tomcat 7 (investigating 8.5
> upgrade).
>
> I had a poke around on the archives and found mention of a talk on it in a
> conference in Miami.
>
>
> http://tomcat.10.x6.nabble.com/Dynamic-reloading-of-SSL-certificates-tt5059619.html#a5059673
>
> Did this happen? I looked in the Tomcat youtube channel and found a handful
> of videos from there, but nothing on LE. Is it something that is still in
> the "we'd like to find time to do it, but don't know who or when" phase, or
> something that is being worked on for Tomcat 9?
>