Am I reinventing the wheel to get letsencrypt certs for Tomcat

[Don Flinn <fl...@alum.mit.edu>]

I am writing a Java program to get a certificate from letsencrypt put it in
a keystore and ftp it to my Tomcat 9 or any version running on Amazon Web
Services or any place you can fip to.  I intended to contribute it to
Tomcat users.  It's about 80% done. I am able to get the letsencrypt
certificate and do the ftping.   Recent mail indicates that this has
already been done.  If so how can I get the existing code?  No sense
duplicating existing work.

Don

Re: Am I reinventing the wheel to get letsencrypt certs for Tomcat

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Johan,

On 10/30/17 9:57 AM, Johan Compagner wrote:
>> 
>> 
>> How about this?
>> 
>> http://tomcat.apache.org/presentations.html
>> 
>> Search for "Let's Encrypt".
>> 
>> I haven't wired this into Tomcat 8.5 and Tomcat 9.0's capability
>> to re-load a keystore yet. I'm not sure there is JMX support for
>> that, yet, so that would be a prerequisite IMO.
> 
> Thx, you are doing almost the same as my (why do you use the
> keytool, you can use the p12file (openssl output file) directly
> right? (at least i do that)

This was written to be used with Tomcat 8 with the Java-based
connectors and a Java keystore. If OpenSSL is being used, the PEM
files can be used directly. There are no scriptable tools I know of
that generate JKS files other than keytool.

Use of pkcs12 files is certainly possible. Oddly enough, there was a
bug recently with Tomcat where pkcs12 files specifically did not work
under certain circumstances. JKS files are certainly more popular than
pkcs12 files under Java, though that will finally (and thankfully) be
changing with Java 9.

> But using that jmx proxy servlet is a good one, will see if that
> works for me.

It does require the use of the Manager application, unless you want to
roll something yourself. Use of JMX locally will be required in either
case, unless you want to do something really nasty to reach-into
Tomcat's internals to reload the keystore.

> The only thing left then is that  "certbot-auto renew" should
> really give me some feedback that it really did renew Else i
> constantly generate the  p12file for tomcat and start/stop the 
> connector Maybe i can monitor the pem file that certbot will be
> touching if something did renew somehow.

This line of my script does roughly that:

if [ "${LE_BASE}/cert.pem" -nt "${CATALINA_BASE}/${HOSTNAME}.jks" ] ; th
en

It checks to see if the certificate is newer than the keystore, and
only re-builds the keystore and bounces Tomcat if it needs to happen.

I'm open to any suggestions to improve those scripts or the
presentation. I'm likely to give a similar presentation in the future,
and I'd be happy to incorporate some of your suggestions into it.

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln3NUcACgkQHPApP6U8
pFghjg//UQvD575jaXiuI+DXY7mQ5c0HXQC/x4qJjdWiV7Kxu9+JkKuIW0dqCNAa
8UOa/lAYFweHU6vgbj98XBUwLucg4z7tCOGfvzd3BHH+4n/SdP/Ro3731gFgYXLZ
aRXrYOvb0NtkcFuqfLpHhv1CPisYyn1IyPSEYop/ScBvWZF9fy1RHuNGwrIulD6Q
ZudKS8kLnS360mqAoOv2n21d7PvULiZ0MQwsNguWxu7Aw7ItvMUmq0Klc5vqar9Q
Zf/54rx2buWiCs6mw1qfaAAWIPY8cEyKRfbWtQnJ9IhtnQ/nVKaFHuOF3tXN+YpL
tvnebcUB1rBOaYqbjWb6Ek5ir+1qpxLLVn2oN0pZtpo57YwowwUQzzrwtdvkgznk
k325AkMTBZlTHZtYJfUj53re6hqcsxckjV4xrTQqE6klZrnGRjmmUCl4CqV/HyhT
R3T3ROQebhDxdjHd6WIt01LAGGioLyT2xKEXTRF6CFLyLmnrTObzNE+eyaurpN20
WGmZYaxVecbM/FQ9n6Tud1LSsRN1xtFh1LYN4XBVrm0St8PzHKPTtV7kpFXUamE/
m/Fxj6kKGTn/PKyDgyV1NQQscGcCXJ8SlXD07wnFDjretL1HV57hl80uzYD5IrC3
wul8WGo0aY2/Rfsimk4E1eU+vQdkJysl/NyleDT46JvA4lOkfE4=
=0aRD
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Am I reinventing the wheel to get letsencrypt certs for Tomcat

[Johan Compagner <jc...@servoy.com>]

>
>
> How about this?
>
> http://tomcat.apache.org/presentations.html
>
> Search for "Let's Encrypt".
>
> I haven't wired this into Tomcat 8.5 and Tomcat 9.0's capability to
> re-load a keystore yet. I'm not sure there is JMX support for that,
> yet, so that would be a prerequisite IMO.
>
> -



Thx, you are doing almost the same as my (why do you use the keytool, you
can use the p12file (openssl output file) directly right?
(at least i do that)

But using that jmx proxy servlet is a good one, will see if that works for
me.

The only thing left then is that  "certbot-auto renew" should really give
me some feedback that it really did renew
Else i constantly generate the  p12file for tomcat and start/stop the
connector
Maybe i can monitor the pem file that certbot will be touching if something
did renew somehow.


-- 
Johan Compagner
Servoy

Re: Am I reinventing the wheel to get letsencrypt certs for Tomcat

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Don,

On 10/27/17 7:22 AM, Don Flinn wrote:
> I am writing a Java program to get a certificate from letsencrypt
> put it in a keystore and ftp it to my Tomcat 9 or any version
> running on Amazon Web Services or any place you can fip to.  I
> intended to contribute it to Tomcat users.  It's about 80% done. I
> am able to get the letsencrypt certificate and do the ftping.
> Recent mail indicates that this has already been done.  If so how
> can I get the existing code?  No sense duplicating existing work.

How about this?

http://tomcat.apache.org/presentations.html

Search for "Let's Encrypt".

I haven't wired this into Tomcat 8.5 and Tomcat 9.0's capability to
re-load a keystore yet. I'm not sure there is JMX support for that,
yet, so that would be a prerequisite IMO.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln3JPEACgkQHPApP6U8
pFh8nhAAoeZZtz48TnBPDlErDIGn6PLIBz3igCf1Famb9H6jQbvxWrU41cEFR5tG
GBkDizj1jdx+6oP17eTxO4s6o9YbS0Cy353uTuwHK+/vAAxrZ014up/vbgo2EWo1
IKTNjgaFOPriAbGAB8p15skFTTaKGLIKYBsusrIHWHEIQqu+9yNYl7A2WVrGYGCC
gYSW7SEmtBCV1CqCcLGBq4ZyNKWwRrBTKR0yNvdvP44CPVq7vrhj7L/ULEJdgl+H
PLL6MrgtRy/kNzrx0yvaVvsaGwTDtZ/WdTEBkXuUJKu+kU+/4sAgeaJlQHWAdIKu
nV40/UvaCQLPHm+lp/Tn6DnlprBDvb3WqAKreIK5Jvrrn3/X9K26WUtm2TT9OusR
GsronvfVKRrGB497qNPGdfbjREXgUUX0TK4MIgwBYV9VWh5Z7EtN30kkYw+OlrS1
v4jNoJMDPsxamuFgmCa2D0xVWJUMWPCWP8eWydhPEVyurLYldmZClrclhXdXiqbE
5Lf5dMvhPUZOyF42jdyWJk/aAs/qKfnrVMM/iN/MKR1xH+daa4eUsuKVTZeLsWOv
ldyG+/Gwmh5hOVR504hAfM+Wa+rsDcNj8MOvbY8JZD+sSXWY4f+vSUt2L2xSysrz
rrGiKiz7dKbIQ2nobsWS2c1cY5feJzJNWQ9DobKNDq5e9Jsvgck=
=677y
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Am I reinventing the wheel to get letsencrypt certs for Tomcat

[Don Flinn <fl...@alum.mit.edu>]

Hi Johan,

Thank you for the information.  A few things, I'm running Tomcat on a
Windows machine as a windows server.  I'm not running as root, I was
talking about the ROOT directory under Tomcat's webapps directory.  So that
when letsencrpt logs into my domain/.well-known/acme-challenge, which is
where they are looking for the authentication token. they just retrieve the
authentication file.  I'll look at your approach using Windows.

Don

On Fri, Oct 27, 2017 at 10:37 AM, Johan Compagner <jc...@servoy.com>
wrote:

> On 27 October 2017 at 15:05, Don Flinn <fl...@alum.mit.edu> wrote:
>
> > Hi Andre,
> >
> > I have looked and it may be my ignorance but I didn't find any that
> seemed
> > to fit.  I'll look more closely at the available letsencrypt clients.
> >
> > With letsencrypt you first have to authenticate, i.e. show you own the
> > site, by letsencrypt logging into your site, e.g. Tomcat and checking a
> > token.  Then the Java program can get the letsencrypt certificate.  There
> > are two different addresses Tomcat on AWS and the node, which is running
> > the Java program.
> >
> > I've set Tomcat to listen on port 80 and put the directory structure they
> > want in Tomcat ROOT.  The Java program, running on my node, gets the
> > letsencrypt authentication token and ftp's it to Tomcat
> > ROOT/.well-known/acme-challenge, which is the directory structure they
> > expect. letsencryt then authenticates the token which is in Tomcat, by
> > retrieving it . The program lets letsencrypt know when the ftp is done
> The
> > Java program then retrieves the certificate from letsencrypt, puts it in
> a
> > keystore, ftp's the keystore to AWS in the directory in which I've set
> > Tomcat to look for the keystore.  It's all done from the one Java
> program,
> > which I can run from my node.  I have yet to incorporate programically
> > inserting the certificate into the keystore.  All the other steps are
> > working.  It needs testing and doing the update of the certificate, which
> > is pretty much the same steps as already programmed.
> >
> > Don
> >
>
>
>
> i just set this up a few day ago
>
> But all the current scripts out there are working for the most part
> Also running tomcat at root is not a good idea you can just use ip tables
> for that:
>
> sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port
> 8080
> sudo iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-port
> 8443
>
> so when tomcat is running on port 8080 and 8440 with iptables you route
> those port also to 80/443
>
> so no need to change anything in tomcat
>
> besides that i just use certbot-auto
>
> wget https://dl.eff.org/certbot-auto
> sudo chmod a+x certbot-auto
>
> sudo ./certbot-auto --debug -v --server
> https://acme-v01.api.letsencrypt.org/directory certonly -d your.domain.com
>
>
> you have to have a ROOT webapp in tomcat for this and with certbot you just
> point to that tomcat/webapps/ROOT dir
>
> and the certificates are there.
>
>
> then the only thing todo left is to convert it and place it in the right
> folder (and i guess the first time you have to change also the owner/group
> because that file will be root:root)
>
>
> sudo openssl pkcs12 -export -out tomcat/conf/bundle.pfx -inkey
> /etc/letsencrypt/live/your.domain.com/privkey.pem
> <http://build.servoy.com/privkey.pem> -in /etc/letsencrypt/live/
> your.domain.com/cert.pem <http://build.servoy.com/cert.pem> -certfile
> /etc/letsencrypt/live/your.domain.com/chain.pem
> <http://build.servoy.com/chain.pem> -password pass:apassword
>
>
> and you have your first certificate in a format tomcat/java understand
>
>
> then only a crontab under root:
>
>
> #!/bin/sh
> /home/ec2-user/certbot-auto renew
> openssl pkcs12 -export -out /tomcat/conf/bundle.pfx -inkey
> /etc/letsencrypt/live/your.domain.com/privkey.pem
> <http://build.servoy.com/privkey.pem> -in /etc/letsencrypt/live/
> your.domain.com/cert.pem <http://build.servoy.com/cert.pem> -certfile
> /etc/letsencrypt/live//your.domain.com/chain.pem
> <http://build.servoy.com/chain.pem> -password pass:apassword
>
>
> and you are done
>
>
> The only thing that i need to investigate is to only call the openssl in
> the cron tab when the certbot did renew and then also restart tomcat (as
> long as tomcat doesn't auto pick it up)
>

Re: Am I reinventing the wheel to get letsencrypt certs for Tomcat

[Johan Compagner <jc...@servoy.com>]

On 27 October 2017 at 15:05, Don Flinn <fl...@alum.mit.edu> wrote:

> Hi Andre,
>
> I have looked and it may be my ignorance but I didn't find any that seemed
> to fit.  I'll look more closely at the available letsencrypt clients.
>
> With letsencrypt you first have to authenticate, i.e. show you own the
> site, by letsencrypt logging into your site, e.g. Tomcat and checking a
> token.  Then the Java program can get the letsencrypt certificate.  There
> are two different addresses Tomcat on AWS and the node, which is running
> the Java program.
>
> I've set Tomcat to listen on port 80 and put the directory structure they
> want in Tomcat ROOT.  The Java program, running on my node, gets the
> letsencrypt authentication token and ftp's it to Tomcat
> ROOT/.well-known/acme-challenge, which is the directory structure they
> expect. letsencryt then authenticates the token which is in Tomcat, by
> retrieving it . The program lets letsencrypt know when the ftp is done  The
> Java program then retrieves the certificate from letsencrypt, puts it in a
> keystore, ftp's the keystore to AWS in the directory in which I've set
> Tomcat to look for the keystore.  It's all done from the one Java program,
> which I can run from my node.  I have yet to incorporate programically
> inserting the certificate into the keystore.  All the other steps are
> working.  It needs testing and doing the update of the certificate, which
> is pretty much the same steps as already programmed.
>
> Don
>



i just set this up a few day ago

But all the current scripts out there are working for the most part
Also running tomcat at root is not a good idea you can just use ip tables
for that:

sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port
8080
sudo iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-port
8443

so when tomcat is running on port 8080 and 8440 with iptables you route
those port also to 80/443

so no need to change anything in tomcat

besides that i just use certbot-auto

wget https://dl.eff.org/certbot-auto
sudo chmod a+x certbot-auto

sudo ./certbot-auto --debug -v --server
https://acme-v01.api.letsencrypt.org/directory certonly -d your.domain.com


you have to have a ROOT webapp in tomcat for this and with certbot you just
point to that tomcat/webapps/ROOT dir

and the certificates are there.


then the only thing todo left is to convert it and place it in the right
folder (and i guess the first time you have to change also the owner/group
because that file will be root:root)


sudo openssl pkcs12 -export -out tomcat/conf/bundle.pfx -inkey
/etc/letsencrypt/live/your.domain.com/privkey.pem
<http://build.servoy.com/privkey.pem> -in /etc/letsencrypt/live/
your.domain.com/cert.pem <http://build.servoy.com/cert.pem> -certfile
/etc/letsencrypt/live/your.domain.com/chain.pem
<http://build.servoy.com/chain.pem> -password pass:apassword


and you have your first certificate in a format tomcat/java understand


then only a crontab under root:


#!/bin/sh
/home/ec2-user/certbot-auto renew
openssl pkcs12 -export -out /tomcat/conf/bundle.pfx -inkey
/etc/letsencrypt/live/your.domain.com/privkey.pem
<http://build.servoy.com/privkey.pem> -in /etc/letsencrypt/live/
your.domain.com/cert.pem <http://build.servoy.com/cert.pem> -certfile
/etc/letsencrypt/live//your.domain.com/chain.pem
<http://build.servoy.com/chain.pem> -password pass:apassword


and you are done


The only thing that i need to investigate is to only call the openssl in
the cron tab when the certbot did renew and then also restart tomcat (as
long as tomcat doesn't auto pick it up)

Re: Am I reinventing the wheel to get letsencrypt certs for Tomcat

[Don Flinn <fl...@alum.mit.edu>]

Hi Markus

I'm not familiar with the inner workings of Tomcat, but  I just looked at
the source code distro and it seems to contain java programs.  So maybe my
little effort may be of use.

Don

On Fri, Oct 27, 2017 at 10:11 AM, info@flyingfischer.ch <
info@flyingfischer.ch> wrote:

> Am 27.10.2017 um 15:29 schrieb André Warnier (tomcat):
> > On 27.10.2017 15:05, Don Flinn wrote:
> >> Hi Andre,
> >>
> >> I have looked and it may be my ignorance but I didn't find any that
> >> seemed
> >> to fit.  I'll look more closely at the available letsencrypt clients.
> >
> > It is certainly more my own ignorance, rather than yours. I was only
> > pointing out the obvious, since a fair number of people who post
> > questions here seem to not bother doing their own homework first, and
> > neglect obvious sources of information such as the WWW or the Tomcat FAQ.
> >
> > Your proposal solution below sounds very nice, and would certainly be
> > of immense help to SSL/HTTPS dummies such as myself.
> > I'm out of my depth already, but on this forum, Christopher may be the
> > person most able to provide thoughtful and competent comments
> > regarding such matters.
> > I guess he'll be in shortly, being on the same oceanic side as you are
> > (or seem to be; one never really knows these days).
>
> Let's Encrypt will roll out an ACME module for Apache httpd called mod_md:
>
> https://letsencrypt.org/2017/10/17/acme-support-in-apache-httpd.html
>
> It would be most interesting to have a similar functionality directly
> built into Tomcat, taking care of LE certs and their wildcard certs
> coming next year.
>
> Best regards
> Markus
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Am I reinventing the wheel to get letsencrypt certs for Tomcat

["info@flyingfischer.ch" <in...@flyingfischer.ch>]

Am 27.10.2017 um 15:29 schrieb André Warnier (tomcat):
> On 27.10.2017 15:05, Don Flinn wrote:
>> Hi Andre,
>>
>> I have looked and it may be my ignorance but I didn't find any that
>> seemed
>> to fit.  I'll look more closely at the available letsencrypt clients.
>
> It is certainly more my own ignorance, rather than yours. I was only
> pointing out the obvious, since a fair number of people who post
> questions here seem to not bother doing their own homework first, and
> neglect obvious sources of information such as the WWW or the Tomcat FAQ.
>
> Your proposal solution below sounds very nice, and would certainly be
> of immense help to SSL/HTTPS dummies such as myself.
> I'm out of my depth already, but on this forum, Christopher may be the
> person most able to provide thoughtful and competent comments
> regarding such matters.
> I guess he'll be in shortly, being on the same oceanic side as you are
> (or seem to be; one never really knows these days).

Let's Encrypt will roll out an ACME module for Apache httpd called mod_md:

https://letsencrypt.org/2017/10/17/acme-support-in-apache-httpd.html

It would be most interesting to have a similar functionality directly
built into Tomcat, taking care of LE certs and their wildcard certs
coming next year.

Best regards
Markus

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Am I reinventing the wheel to get letsencrypt certs for Tomcat

["André Warnier (tomcat)" <aw...@ice-sa.com>]

On 27.10.2017 15:05, Don Flinn wrote:
> Hi Andre,
>
> I have looked and it may be my ignorance but I didn't find any that seemed
> to fit.  I'll look more closely at the available letsencrypt clients.

It is certainly more my own ignorance, rather than yours. I was only pointing out the 
obvious, since a fair number of people who post questions here seem to not bother doing 
their own homework first, and neglect obvious sources of information such as the WWW or 
the Tomcat FAQ.

Your proposal solution below sounds very nice, and would certainly be of immense help to 
SSL/HTTPS dummies such as myself.
I'm out of my depth already, but on this forum, Christopher may be the person most able to 
provide thoughtful and competent comments regarding such matters.
I guess he'll be in shortly, being on the same oceanic side as you are (or seem to be; one 
never really knows these days).

>
> With letsencrypt you first have to authenticate, i.e. show you own the
> site, by letsencrypt logging into your site, e.g. Tomcat and checking a
> token.  Then the Java program can get the letsencrypt certificate.  There
> are two different addresses Tomcat on AWS and the node, which is running
> the Java program.
>
> I've set Tomcat to listen on port 80 and put the directory structure they
> want in Tomcat ROOT.  The Java program, running on my node, gets the
> letsencrypt authentication token and ftp's it to Tomcat
> ROOT/.well-known/acme-challenge, which is the directory structure they
> expect. letsencryt then authenticates the token which is in Tomcat, by
> retrieving it . The program lets letsencrypt know when the ftp is done  The
> Java program then retrieves the certificate from letsencrypt, puts it in a
> keystore, ftp's the keystore to AWS in the directory in which I've set
> Tomcat to look for the keystore.  It's all done from the one Java program,
> which I can run from my node.  I have yet to incorporate programically
> inserting the certificate into the keystore.  All the other steps are
> working.  It needs testing and doing the update of the certificate, which
> is pretty much the same steps as already programmed.
>
> Don
>
> On Fri, Oct 27, 2017 at 7:26 AM, André Warnier (tomcat) <aw...@ice-sa.com>
> wrote:
>
>> On 27.10.2017 13:22, Don Flinn wrote:
>>
>>> I am writing a Java program to get a certificate from letsencrypt put it
>>> in
>>> a keystore and ftp it to my Tomcat 9 or any version running on Amazon Web
>>> Services or any place you can fip to.  I intended to contribute it to
>>> Tomcat users.  It's about 80% done. I am able to get the letsencrypt
>>> certificate and do the ftping.   Recent mail indicates that this has
>>> already been done.  If so how can I get the existing code?  No sense
>>> duplicating existing work.
>>>
>>> Indeed.
>> Searching Google for "tomcat letsencrypt" seems to get a number of hits.
>> Did you look at them ?
>> (I haven't)
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Am I reinventing the wheel to get letsencrypt certs for Tomcat

[Don Flinn <fl...@alum.mit.edu>]

Hi Andre,

I have looked and it may be my ignorance but I didn't find any that seemed
to fit.  I'll look more closely at the available letsencrypt clients.

With letsencrypt you first have to authenticate, i.e. show you own the
site, by letsencrypt logging into your site, e.g. Tomcat and checking a
token.  Then the Java program can get the letsencrypt certificate.  There
are two different addresses Tomcat on AWS and the node, which is running
the Java program.

I've set Tomcat to listen on port 80 and put the directory structure they
want in Tomcat ROOT.  The Java program, running on my node, gets the
letsencrypt authentication token and ftp's it to Tomcat
ROOT/.well-known/acme-challenge, which is the directory structure they
expect. letsencryt then authenticates the token which is in Tomcat, by
retrieving it . The program lets letsencrypt know when the ftp is done  The
Java program then retrieves the certificate from letsencrypt, puts it in a
keystore, ftp's the keystore to AWS in the directory in which I've set
Tomcat to look for the keystore.  It's all done from the one Java program,
which I can run from my node.  I have yet to incorporate programically
inserting the certificate into the keystore.  All the other steps are
working.  It needs testing and doing the update of the certificate, which
is pretty much the same steps as already programmed.

Don

On Fri, Oct 27, 2017 at 7:26 AM, André Warnier (tomcat) <aw...@ice-sa.com>
wrote:

> On 27.10.2017 13:22, Don Flinn wrote:
>
>> I am writing a Java program to get a certificate from letsencrypt put it
>> in
>> a keystore and ftp it to my Tomcat 9 or any version running on Amazon Web
>> Services or any place you can fip to.  I intended to contribute it to
>> Tomcat users.  It's about 80% done. I am able to get the letsencrypt
>> certificate and do the ftping.   Recent mail indicates that this has
>> already been done.  If so how can I get the existing code?  No sense
>> duplicating existing work.
>>
>> Indeed.
> Searching Google for "tomcat letsencrypt" seems to get a number of hits.
> Did you look at them ?
> (I haven't)
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Am I reinventing the wheel to get letsencrypt certs for Tomcat

["André Warnier (tomcat)" <aw...@ice-sa.com>]

On 27.10.2017 13:22, Don Flinn wrote:
> I am writing a Java program to get a certificate from letsencrypt put it in
> a keystore and ftp it to my Tomcat 9 or any version running on Amazon Web
> Services or any place you can fip to.  I intended to contribute it to
> Tomcat users.  It's about 80% done. I am able to get the letsencrypt
> certificate and do the ftping.   Recent mail indicates that this has
> already been done.  If so how can I get the existing code?  No sense
> duplicating existing work.
>
Indeed.
Searching Google for "tomcat letsencrypt" seems to get a number of hits.
Did you look at them ?
(I haven't)



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Am I reinventing the wheel to get letsencrypt certs for Tomcat

[Martynas Jusevičius <ma...@atomgraph.com>]

I think Tomcat 9 suppors PEM files directly, but if you want to use PKCS12,
this might help:
https://github.com/AtomGraph/letsencrypt-tomcat/blob/master/entrypoint.sh#L33

On Fri, Oct 27, 2017 at 1:22 PM, Don Flinn <fl...@alum.mit.edu> wrote:

> I am writing a Java program to get a certificate from letsencrypt put it in
> a keystore and ftp it to my Tomcat 9 or any version running on Amazon Web
> Services or any place you can fip to.  I intended to contribute it to
> Tomcat users.  It's about 80% done. I am able to get the letsencrypt
> certificate and do the ftping.   Recent mail indicates that this has
> already been done.  If so how can I get the existing code?  No sense
> duplicating existing work.
>
> Don
>