You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Sean Dawson <se...@gmail.com> on 2019/04/17 13:20:15 UTC
Wildcard certificates
Hello, I have a widlcard certificate from GoDaddy. Can I use this with
Tomcat? (8.5)
I have the files crt (primary certificate?), p7b (intermediate?), pfx
(private key?), and a .key file. I did not generate a certificate request
prior to this.
Google is telling me that either I need to generate a certificate request
first, or it's telling everything I need to know about wildcard
certificates except how to use the above files.
This is for Tomcat 8.5 with Java 8 on CentOS 7, and Windows Server 2016.
Thank you.
Re: Wildcard certificates
Posted by John Dale <jc...@gmail.com>.
Here is a mostly manual process for integration of certbot with tomcat
7.x.x. This presupposes you have certbot installed and working (I'm
using Debian):
--------------------------------------------------------------------------------------
// generate the certificates
./certbot-auto certonly --webroot -w /path/to/certbotauth/
// paste in
domain1.com domain2.com domain3.com domainN.com
// convert key format
openssl pkcs12 -export -out gbsapp-bundle.pfx -inkey privkey.pem -in
cert.pem -certfile chain.pem -password pass:keystorepass
// change folders into the directory where the cert was generated
cd /etc/letsencrypt/live/primarydomain.com/
// copy key and change permissions
cp bundlename-bundle.pfx /pathtotomcat/apache-tomcat-7.x.x/conf/
Here is what I'm using to handle the certbot challenge in my custom MVC:
--------------------------------------------------------------------------------------------------
if(request.getPathInfo().indexOf("acme-challenge") > 0)
{
// certbot request
// todo - further validate authenticity of request
// example:
/.well-known/acme-challenge/Z9kDHD-PDvjAPT6pUaeGCoNP2f-GNoLFpXOKoAA_58k:
String certAuthRoot = "certbot/auth/folder/path";
log.info("Cert bot challenge detected.");
File file = new File(certAuthRoot + request.getPathInfo());
FileInputStream fis = new FileInputStream(file);
OutputStream os = response.getOutputStream();
int fileContents;
while((fileContents = fis.read()) != -1)
{
os.write(fileContents);
}
os.flush();
fis.close();
return;
}
Hope this helps,
John
On 4/17/19, Sean Dawson <se...@gmail.com> wrote:
> On Wed, Apr 17, 2019 at 9:20 AM Sean Dawson <se...@gmail.com>
> wrote:
>
>>
>> Hello, I have a widlcard certificate from GoDaddy. Can I use this with
>> Tomcat? (8.5)
>>
>> I have the files crt (primary certificate?), p7b (intermediate?), pfx
>> (private key?), and a .key file. I did not generate a certificate request
>> prior to this.
>>
>> Google is telling me that either I need to generate a certificate request
>> first, or it's telling everything I need to know about wildcard
>> certificates except how to use the above files.
>>
>> This is for Tomcat 8.5 with Java 8 on CentOS 7, and Windows Server 2016.
>>
>> Thank you.
>>
>>
> Ok just for others' benefit if they want to go this way, I was able to get
> it working by concatenating the .key and the .crt file into one .pem. Then
> do this:
>
> openssl pkcs12 -export -in combined.pem -out cert.p12
>
> And then this:
>
> keytool -importkeystore -srckeystore cert.p12 -srcstoretype pkcs12
> -destkeystore cert.jks
>
> (from this page:
> https://stackoverflow.com/questions/22296312/convert-certificate-from-pem-into-jks
> )
>
> Sorry for the earlier top posting.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Wildcard certificates
Posted by Sean Dawson <se...@gmail.com>.
On Wed, Apr 17, 2019 at 9:20 AM Sean Dawson <se...@gmail.com>
wrote:
>
> Hello, I have a widlcard certificate from GoDaddy. Can I use this with
> Tomcat? (8.5)
>
> I have the files crt (primary certificate?), p7b (intermediate?), pfx
> (private key?), and a .key file. I did not generate a certificate request
> prior to this.
>
> Google is telling me that either I need to generate a certificate request
> first, or it's telling everything I need to know about wildcard
> certificates except how to use the above files.
>
> This is for Tomcat 8.5 with Java 8 on CentOS 7, and Windows Server 2016.
>
> Thank you.
>
>
Ok just for others' benefit if they want to go this way, I was able to get
it working by concatenating the .key and the .crt file into one .pem. Then
do this:
openssl pkcs12 -export -in combined.pem -out cert.p12
And then this:
keytool -importkeystore -srckeystore cert.p12 -srcstoretype pkcs12
-destkeystore cert.jks
(from this page:
https://stackoverflow.com/questions/22296312/convert-certificate-from-pem-into-jks
)
Sorry for the earlier top posting.
Re: Wildcard certificates
Posted by "TurboChargedDad ." <li...@gmail.com>.
Multi-tenant or single tenant system?
On Wed, Apr 17, 2019 at 8:54 AM Sean Dawson <se...@gmail.com>
wrote:
> Thanks for the replies - I'm willing to use NGINX to handle this for us -
> can you point me to a good page on that?
>
>
> On Wed, Apr 17, 2019 at 9:46 AM John Larsen <jo...@javapipe.com>
> wrote:
>
> > We do the same - via mod_jk we utilize apache httpd to handle the SSL.
> > Keeps things simple and works well.
> > John Larsen
> >
> > On Wed, Apr 17, 2019 at 7:44 AM TurboChargedDad . <linuxhpceng@gmail.com
> >
> > wrote:
> >
> > > We terminated SSL above the tomcat layer using NGINX or Apache to
> avoid
> > > the complexities that come with managing a JKS. I want to hear all I
> can
> > > on this subject.
> > >
> >
>
Re: Wildcard certificates
Posted by Sean Dawson <se...@gmail.com>.
Thanks for the replies - I'm willing to use NGINX to handle this for us -
can you point me to a good page on that?
On Wed, Apr 17, 2019 at 9:46 AM John Larsen <jo...@javapipe.com>
wrote:
> We do the same - via mod_jk we utilize apache httpd to handle the SSL.
> Keeps things simple and works well.
> John Larsen
>
> On Wed, Apr 17, 2019 at 7:44 AM TurboChargedDad . <li...@gmail.com>
> wrote:
>
> > We terminated SSL above the tomcat layer using NGINX or Apache to avoid
> > the complexities that come with managing a JKS. I want to hear all I can
> > on this subject.
> >
>
Re: Wildcard certificates
Posted by John Larsen <jo...@javapipe.com>.
We do the same - via mod_jk we utilize apache httpd to handle the SSL.
Keeps things simple and works well.
John Larsen
On Wed, Apr 17, 2019 at 7:44 AM TurboChargedDad . <li...@gmail.com>
wrote:
> We terminated SSL above the tomcat layer using NGINX or Apache to avoid
> the complexities that come with managing a JKS. I want to hear all I can
> on this subject.
>
Re: Wildcard certificates
Posted by John Dale <jc...@gmail.com>.
I manage dozens of contexts/domains using loosely coupled code.
Chris - of course it's amazing. I would also call it super and profound. :)
I am in the middle of some TI at our office today .. can't really stop
to do this.
I have the code used to identify and validate the certbot requests and
a few scripts that use the certbot to do the work.
Come to think of it, my certs will need renewal soon. I'll take a
pass over what I have and send it out after I renew .. thank you for
your patience.
John
On 4/17/19, Christopher Schultz <ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> To whom it may concern,
>
> On 4/17/19 10:22, TurboChargedDad . wrote:
>> I would have the opposite feeling. I would not want a java process
>> parked out in the internet. Not saying you're wrong just my
>> personal feeling.
> It would be interesting to compare the number of remotely-exploitable
> vulnerabilities there have been in e.g. httpd versus e.g. Tomcat in a
> given period of time. My guess is that the Java-based servers have had
> a better track record. The difference is that typically if you own a
> web server, you just own the web server. But if you own an application
> server, you typically get access to lots of great stuff like the
> application's database.
>
>> Maybe things have shifted in a different direction over the year.
> Any particular year?
>
>> I do agree that something like that would be helpful to other
>> tomcat admins. Would you consider putting it into github ?
> certbot does almost everything you need. There is also this:
> https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Encrypt
> %20Apache%20Tomcat.pdf
>
> So unless John has done something truly amazing, maybe adding more
> tools to what MUST be a secure toolchain isn't a great move.
>
> - -chris
>
>> On Wed, Apr 17, 2019 at 9:18 AM John Dale <jc...@gmail.com>
>> wrote:
>>
>>> I have a really nice process that works great with certbot.
>>> Single command to renew all of my certs and I'm finished.
>>>
>>> I get some piece of mind having a Java process guarding the
>>> front door. Seems to be more impervious to overflows. What am I
>>> missing?
>>>
>>> I think what I have might be easily developed into something to
>>> help other Tomcat users.
>>>
>>> On 4/17/19, TurboChargedDad . <li...@gmail.com> wrote:
>>>> We terminated SSL above the tomcat layer using NGINX or Apache
>>>> to avoid the complexities that come with managing a JKS. I
>>>> want to hear all I can on this subject.
>>>>
>>>
>>> ---------------------------------------------------------------------
>>>
>>>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAly3WFMACgkQHPApP6U8
> pFjFUA//Q5HiqvarK/NO/o2tjtVUVs75RJaTEao7T1eUCwMIf/F9nkpZpNG8TxK7
> slT0zu3GMaB5+Z5PK753M3+vZ9nytbat4ODbUNpUMrqeT1/U0eaF1LdbY0jeUmKH
> hmzQFTtLEtJ9mMYn+KJ3sA8D3sIECWwFuKD+BdYmOkzAZn37HlzyI+1CMr4mEA6C
> LnhlD/hEeG4HiO5FtE4BxRKZ0vcLhBp10/m27E6j6KDiiwT7+tlNfwD53S5P94vv
> f/FbwSP8GJfkFu13ot+ce1IVerMNpMpc6nay1efJmYtT4oHyNP0YUVMZyN8YyCTO
> 5yiLYOj8yXLxLatdKBWJ+1fsqd5DXuOEv0KmaIaqi3pLHg5oJQp5CtsLKTSFVTmV
> FBoWew1JFhh5DBI27uJntGzlwIGjKAq7Cq0qitL2gVCiDr6HFaI/gkvVriDjoZL/
> L3E5JDSpYL/iSzBeBd5qKbGVz7+/bdsHoxdHGRFrvcNYyPZIT871bVoNjvyaSFsM
> KZGYcgZgruzN6hT3+jmJpHHoINb+XQeViM140HvYJP1zrcyCZ9ejqpw1BSB+WbT0
> OutjYugoJwORD2SWFTXAc5g6flP5I6JYogexzlj0UPx6v0969I6OBPkLRyMzyKnr
> RTSLV2mYJifNFjLvJ98blhhRmZG3BgAJR4ussur1NTZzs6I03Bc=
> =4l6s
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Wildcard certificates
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
To whom it may concern,
On 4/17/19 10:22, TurboChargedDad . wrote:
> I would have the opposite feeling. I would not want a java process
> parked out in the internet. Not saying you're wrong just my
> personal feeling.
It would be interesting to compare the number of remotely-exploitable
vulnerabilities there have been in e.g. httpd versus e.g. Tomcat in a
given period of time. My guess is that the Java-based servers have had
a better track record. The difference is that typically if you own a
web server, you just own the web server. But if you own an application
server, you typically get access to lots of great stuff like the
application's database.
> Maybe things have shifted in a different direction over the year.
Any particular year?
> I do agree that something like that would be helpful to other
> tomcat admins. Would you consider putting it into github ?
certbot does almost everything you need. There is also this:
https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Encrypt
%20Apache%20Tomcat.pdf
So unless John has done something truly amazing, maybe adding more
tools to what MUST be a secure toolchain isn't a great move.
- -chris
> On Wed, Apr 17, 2019 at 9:18 AM John Dale <jc...@gmail.com>
> wrote:
>
>> I have a really nice process that works great with certbot.
>> Single command to renew all of my certs and I'm finished.
>>
>> I get some piece of mind having a Java process guarding the
>> front door. Seems to be more impervious to overflows. What am I
>> missing?
>>
>> I think what I have might be easily developed into something to
>> help other Tomcat users.
>>
>> On 4/17/19, TurboChargedDad . <li...@gmail.com> wrote:
>>> We terminated SSL above the tomcat layer using NGINX or Apache
>>> to avoid the complexities that come with managing a JKS. I
>>> want to hear all I can on this subject.
>>>
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAly3WFMACgkQHPApP6U8
pFjFUA//Q5HiqvarK/NO/o2tjtVUVs75RJaTEao7T1eUCwMIf/F9nkpZpNG8TxK7
slT0zu3GMaB5+Z5PK753M3+vZ9nytbat4ODbUNpUMrqeT1/U0eaF1LdbY0jeUmKH
hmzQFTtLEtJ9mMYn+KJ3sA8D3sIECWwFuKD+BdYmOkzAZn37HlzyI+1CMr4mEA6C
LnhlD/hEeG4HiO5FtE4BxRKZ0vcLhBp10/m27E6j6KDiiwT7+tlNfwD53S5P94vv
f/FbwSP8GJfkFu13ot+ce1IVerMNpMpc6nay1efJmYtT4oHyNP0YUVMZyN8YyCTO
5yiLYOj8yXLxLatdKBWJ+1fsqd5DXuOEv0KmaIaqi3pLHg5oJQp5CtsLKTSFVTmV
FBoWew1JFhh5DBI27uJntGzlwIGjKAq7Cq0qitL2gVCiDr6HFaI/gkvVriDjoZL/
L3E5JDSpYL/iSzBeBd5qKbGVz7+/bdsHoxdHGRFrvcNYyPZIT871bVoNjvyaSFsM
KZGYcgZgruzN6hT3+jmJpHHoINb+XQeViM140HvYJP1zrcyCZ9ejqpw1BSB+WbT0
OutjYugoJwORD2SWFTXAc5g6flP5I6JYogexzlj0UPx6v0969I6OBPkLRyMzyKnr
RTSLV2mYJifNFjLvJ98blhhRmZG3BgAJR4ussur1NTZzs6I03Bc=
=4l6s
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Wildcard certificates
Posted by John Dale <jc...@gmail.com>.
On 4/17/19, Christopher Schultz <ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> John,
>
> On 4/17/19 10:42, John Dale wrote:
>> My understanding is that the folks at SUN really put their backs
>> into it from the beginning:
>> https://stackoverflow.com/questions/479701/does-java-have-buffer-overf
> lows
>>
>> Since hot spot compilers have matured, Java is virtually as fast
>> as C/++ (the Java is slow argument falls in my deaf ears, even if
>> it is amazingly repeated still today by members of other
>> programming religions).
>
> Where it really sucks, though, is crypto. When JSSE decides to use
> hardware for crypto, things go really well. But it often does not make
> that decision due to a few bugs here and there that still appear to
> remain in the runtime.
>
> Tomcat benchmarks comparing JSSE versus OpenSSL are at least an order
> of magnitude different, sometimes two, in favor of OpenSSL.
>
> Have a look at any of the slides Jean-Frederic Clere has presented at
> any recent ApacheCon conferences and you can see his benchmarks
> comparing them.
>
> The good news is that Tomcat+OpenSSL is comparable to httpd+OpenSSL,
> so if you are able to use tcnative (required for OpenSSL use from
> Tomcat), then the performance argument is pretty much moot.
>
> I myself always front Tomcat with another web server, but that is for
> other reasons. Security and performance are nice-to-haves but aren't
> really justified IMHO. Flexibility is the primary reason I front my
> Tomcat instances with web servers. Tomcat doesn't make a great
> load-balancer.
>
> - -chris
You mean on its own without modification? I think Tomcat makes a
great load balancer, but I had to write a little code.
HTTPD has a lot of plugins and ad-ons and a history of integration
with lots of tools from firewall to email and beyond. It's a crazy
piece of software that is very mature, but I found it to be overkill
for my purposes .. I just use LFD/CFS manually, and I will continue to
improve my DDOS, other exploit mitigation code.
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAly3WdkACgkQHPApP6U8
> pFiRrg//QcXdcysOx18yEpadFhuUekcTvogC5BGhZe5lV3AY4fgXeXQH46YZOkeY
> Lit5F6JRFb9qVwFs9Uc9Ot9hwvVt9ldFMKOKAkxMIAp1yxRk8sWuaI99OLiNBAyf
> qKmfwI0bx4H73oR22jhP5mlIITzJShZc86R9apb/v34ofncxQ6bLlAQMxu98Wo7W
> G4kBXTjnn7UzNFtpAXiZLd8t22IeBbN6CDFgM5urhOb3g7rTNdqW8Q28ik7qwenK
> gK5KmSek7+LZTsx5UD3N4WxdRkUKB30ZIvPt+cH1HMntvulQKJ39Giw9XjXHv8Hc
> VIsrh/S+2fbfG+4F0aqYmR5WuEXK30mG76DU3DW2o3v8sZ+pvuJ3C37mc0biWGy7
> fS722Uh3s6tucs4ToQtwwYkhS93NIUm8uLZJnv3FAUW5EOY7THzf0pplv/ZZEQ62
> Sg1bZ4mA7/Tdt25MKM2K04h2ERLTsAiB7Qneh2Ch4yVt3cwnGbZUFCAbXMSq01xE
> TP6j0zfLAtEx3b6Av22WLqnq5NdSDUYbvVzTQPH/TUERf4ztLRadBjHPEN0gM2vL
> zQi7BGiJix2K/fjWLicGkZKTPCWvSnknkwPgQ1JzxZwEQmCUA+hRANaZljp7KVwP
> mObnaRL5QQ/S2NhCRHFdvyLqXMgmbSsMe+FMmN2P8/mADwSdeK8=
> =4xik
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Wildcard certificates
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
John,
On 4/17/19 10:42, John Dale wrote:
> My understanding is that the folks at SUN really put their backs
> into it from the beginning:
> https://stackoverflow.com/questions/479701/does-java-have-buffer-overf
lows
>
> Since hot spot compilers have matured, Java is virtually as fast
> as C/++ (the Java is slow argument falls in my deaf ears, even if
> it is amazingly repeated still today by members of other
> programming religions).
Where it really sucks, though, is crypto. When JSSE decides to use
hardware for crypto, things go really well. But it often does not make
that decision due to a few bugs here and there that still appear to
remain in the runtime.
Tomcat benchmarks comparing JSSE versus OpenSSL are at least an order
of magnitude different, sometimes two, in favor of OpenSSL.
Have a look at any of the slides Jean-Frederic Clere has presented at
any recent ApacheCon conferences and you can see his benchmarks
comparing them.
The good news is that Tomcat+OpenSSL is comparable to httpd+OpenSSL,
so if you are able to use tcnative (required for OpenSSL use from
Tomcat), then the performance argument is pretty much moot.
I myself always front Tomcat with another web server, but that is for
other reasons. Security and performance are nice-to-haves but aren't
really justified IMHO. Flexibility is the primary reason I front my
Tomcat instances with web servers. Tomcat doesn't make a great
load-balancer.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAly3WdkACgkQHPApP6U8
pFiRrg//QcXdcysOx18yEpadFhuUekcTvogC5BGhZe5lV3AY4fgXeXQH46YZOkeY
Lit5F6JRFb9qVwFs9Uc9Ot9hwvVt9ldFMKOKAkxMIAp1yxRk8sWuaI99OLiNBAyf
qKmfwI0bx4H73oR22jhP5mlIITzJShZc86R9apb/v34ofncxQ6bLlAQMxu98Wo7W
G4kBXTjnn7UzNFtpAXiZLd8t22IeBbN6CDFgM5urhOb3g7rTNdqW8Q28ik7qwenK
gK5KmSek7+LZTsx5UD3N4WxdRkUKB30ZIvPt+cH1HMntvulQKJ39Giw9XjXHv8Hc
VIsrh/S+2fbfG+4F0aqYmR5WuEXK30mG76DU3DW2o3v8sZ+pvuJ3C37mc0biWGy7
fS722Uh3s6tucs4ToQtwwYkhS93NIUm8uLZJnv3FAUW5EOY7THzf0pplv/ZZEQ62
Sg1bZ4mA7/Tdt25MKM2K04h2ERLTsAiB7Qneh2Ch4yVt3cwnGbZUFCAbXMSq01xE
TP6j0zfLAtEx3b6Av22WLqnq5NdSDUYbvVzTQPH/TUERf4ztLRadBjHPEN0gM2vL
zQi7BGiJix2K/fjWLicGkZKTPCWvSnknkwPgQ1JzxZwEQmCUA+hRANaZljp7KVwP
mObnaRL5QQ/S2NhCRHFdvyLqXMgmbSsMe+FMmN2P8/mADwSdeK8=
=4xik
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Wildcard certificates
Posted by John Dale <jc...@gmail.com>.
My understanding is that the folks at SUN really put their backs into
it from the beginning:
https://stackoverflow.com/questions/479701/does-java-have-buffer-overflows
Since hot spot compilers have matured, Java is virtually as fast as
C/++ (the Java is slow argument falls in my deaf ears, even if it is
amazingly repeated still today by members of other programming
religions).
Other proxies/balancers also do threat mitigation (DDOS, flooding,
etc). I have written some of my own code to deal with this .. because
of the way I handle data and MVC, I have a central place to park all
of the heuristics. I bet these heuristics could become robust and
maintainable over time.
I would be happy to share (would need a little time to isolate and
deliver). I have always wondered how difficult it is to have
Apache/Tomcat evaluate new projects. Part of this certbot solution
requires providing some automated validation for the certbot CSA
agent. This code can stand alone, but I have it integrated with some
other tools that have also proven helpful. I wonder if I might
attract a sponsorship from someone within ASF for my project?
I call it DB2DOM.COM - it's a "pseudosingularity" because it is used
to extend and maintain itself.
Any ideas I'd love to hear them.
Have a good one,
John
On 4/17/19, TurboChargedDad . <li...@gmail.com> wrote:
> I would have the opposite feeling. I would not want a java process
> parked out in the internet. Not saying you're wrong just my personal
> feeling. Maybe things have shifted in a different direction over the
> year. I do agree that something like that would be helpful to other tomcat
> admins. Would you consider putting it into github ?
>
> Thanks,
> J
>
> On Wed, Apr 17, 2019 at 9:18 AM John Dale <jc...@gmail.com> wrote:
>
>> I have a really nice process that works great with certbot. Single
>> command to renew all of my certs and I'm finished.
>>
>> I get some piece of mind having a Java process guarding the front
>> door. Seems to be more impervious to overflows. What am I missing?
>>
>> I think what I have might be easily developed into something to help
>> other Tomcat users.
>>
>> On 4/17/19, TurboChargedDad . <li...@gmail.com> wrote:
>> > We terminated SSL above the tomcat layer using NGINX or Apache to
>> > avoid
>> > the complexities that come with managing a JKS. I want to hear all I
>> > can
>> > on this subject.
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Wildcard certificates
Posted by "TurboChargedDad ." <li...@gmail.com>.
I would have the opposite feeling. I would not want a java process
parked out in the internet. Not saying you're wrong just my personal
feeling. Maybe things have shifted in a different direction over the
year. I do agree that something like that would be helpful to other tomcat
admins. Would you consider putting it into github ?
Thanks,
J
On Wed, Apr 17, 2019 at 9:18 AM John Dale <jc...@gmail.com> wrote:
> I have a really nice process that works great with certbot. Single
> command to renew all of my certs and I'm finished.
>
> I get some piece of mind having a Java process guarding the front
> door. Seems to be more impervious to overflows. What am I missing?
>
> I think what I have might be easily developed into something to help
> other Tomcat users.
>
> On 4/17/19, TurboChargedDad . <li...@gmail.com> wrote:
> > We terminated SSL above the tomcat layer using NGINX or Apache to avoid
> > the complexities that come with managing a JKS. I want to hear all I can
> > on this subject.
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Wildcard certificates
Posted by John Dale <jc...@gmail.com>.
I have a really nice process that works great with certbot. Single
command to renew all of my certs and I'm finished.
I get some piece of mind having a Java process guarding the front
door. Seems to be more impervious to overflows. What am I missing?
I think what I have might be easily developed into something to help
other Tomcat users.
On 4/17/19, TurboChargedDad . <li...@gmail.com> wrote:
> We terminated SSL above the tomcat layer using NGINX or Apache to avoid
> the complexities that come with managing a JKS. I want to hear all I can
> on this subject.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Wildcard certificates
Posted by John Dale <jc...@gmail.com>.
Exactly .. this is part of the solution. I am having tomcat behave
smartly in response to the certificate validation, and I have a nice
path to develop some cool tools, similar to HTTPD, around certbot (I
love that this is a free service, but I do have some concerns over
centralized CSA, so I do other symmetric key encryption in other areas
to help me sleep at night).
On 4/17/19, Christopher Schultz <ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> To whom it may concern,
>
> On 4/17/19 09:44, TurboChargedDad . wrote:
>> We terminated SSL above the tomcat layer using NGINX or Apache to
>> avoid the complexities that come with managing a JKS. I want to
>> hear all I can on this subject.
>
> It's not necessary to handle JKS files to use Tomcat for TLS termination
> .
>
> You can use PEM-encoded DER files (same as httpd, nginx, etc.) if you
> use any connector along with the OpenSSL engine.
>
> You can also use PKCS12 files (similar to JKS files, but much more
> standard) which openssl knows how to manipulate (as does Java's
> "keytool") with any JSSE-based crypto engine.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAly3VzcACgkQHPApP6U8
> pFhOwxAAtd5d0UDSp1SEjZWKu+AX970vUTZIc+UxeWAWcwG20MjBeHa4PBzrJFIK
> QVduzNGBJvi2oez9QV3LCnLo2jkIgpZG6EC/+TBQSSfAn8iGrL7lc59vWXg551PC
> 8+llFd9q3M13dqyx824YijMPptwFxH36z0K2pr34ytZOP1g/QDUA07dW5rW2rJKF
> tdOkHIE/QvEE+iSQnrYQbNNknBk/grzbxDwg7lZupSi1UBY080Hc8aPzWknBADKh
> zPKt6942WMvrIDmK8yCQSgkqjG8QWrZfR5QNkvnkRN4rridK4TevYm6Da/QI46w3
> NPSozJeNKGeaUylabH4jTcVBE3eynOcP0oyBJ7/MmMzu1a9jU9ar7mZmTlZEPaEV
> f3jxmfQ5m4AmbypNfwLzudo0ekVQceD33Ba04/VO9wGESMNSQTF6XIz69BSHvj1s
> KsIIFcgdWuVH5ae5UxgirWghecz2xZAu7BHXYtkPdLcmF/RgTR1lQQ34JDlB9VPM
> NdtZuVUWasnlWVGF4YDV6RzQwdhzGk4FUd38ULRzsc+ycyA0LtbdQfyear/N/dxl
> c4s+nPiub1lnggMbd990uPMhoy8AaEGq4GG6NyKXvBz1sUw72n27QO6tCEIinQSe
> E8OOofUgHAcLwuEQxLO/bvVnD77Vx95lxnIoludx51BvEM1ZbbU=
> =M18j
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Wildcard certificates
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
To whom it may concern,
On 4/17/19 09:44, TurboChargedDad . wrote:
> We terminated SSL above the tomcat layer using NGINX or Apache to
> avoid the complexities that come with managing a JKS. I want to
> hear all I can on this subject.
It's not necessary to handle JKS files to use Tomcat for TLS termination
.
You can use PEM-encoded DER files (same as httpd, nginx, etc.) if you
use any connector along with the OpenSSL engine.
You can also use PKCS12 files (similar to JKS files, but much more
standard) which openssl knows how to manipulate (as does Java's
"keytool") with any JSSE-based crypto engine.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAly3VzcACgkQHPApP6U8
pFhOwxAAtd5d0UDSp1SEjZWKu+AX970vUTZIc+UxeWAWcwG20MjBeHa4PBzrJFIK
QVduzNGBJvi2oez9QV3LCnLo2jkIgpZG6EC/+TBQSSfAn8iGrL7lc59vWXg551PC
8+llFd9q3M13dqyx824YijMPptwFxH36z0K2pr34ytZOP1g/QDUA07dW5rW2rJKF
tdOkHIE/QvEE+iSQnrYQbNNknBk/grzbxDwg7lZupSi1UBY080Hc8aPzWknBADKh
zPKt6942WMvrIDmK8yCQSgkqjG8QWrZfR5QNkvnkRN4rridK4TevYm6Da/QI46w3
NPSozJeNKGeaUylabH4jTcVBE3eynOcP0oyBJ7/MmMzu1a9jU9ar7mZmTlZEPaEV
f3jxmfQ5m4AmbypNfwLzudo0ekVQceD33Ba04/VO9wGESMNSQTF6XIz69BSHvj1s
KsIIFcgdWuVH5ae5UxgirWghecz2xZAu7BHXYtkPdLcmF/RgTR1lQQ34JDlB9VPM
NdtZuVUWasnlWVGF4YDV6RzQwdhzGk4FUd38ULRzsc+ycyA0LtbdQfyear/N/dxl
c4s+nPiub1lnggMbd990uPMhoy8AaEGq4GG6NyKXvBz1sUw72n27QO6tCEIinQSe
E8OOofUgHAcLwuEQxLO/bvVnD77Vx95lxnIoludx51BvEM1ZbbU=
=M18j
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Wildcard certificates
Posted by "TurboChargedDad ." <li...@gmail.com>.
We terminated SSL above the tomcat layer using NGINX or Apache to avoid
the complexities that come with managing a JKS. I want to hear all I can
on this subject.