You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jerry Lin <je...@lincircle.com> on 2024/03/10 17:39:39 UTC
how to reload SSL certificates without restarting Tomcat
Hello,
For those of us with a publicly accessible instance of Tomcat (e.g. not
behind Apache), is there a good way of having a renewed SSL/HTTPS
certificate take effect without restarting Tomcat?
Thank you,
Jerry
Re: how to reload SSL certificates without restarting Tomcat
Posted by Chuck Caldarale <n8...@gmail.com>.
> On Mar 10, 2024, at 15:00, Jerry Lin <je...@lincircle.com> wrote:
>
> Hi Chuck,
>
> Presumably, you mean “not behind https", since “Apache” refers to the
>> organization that develops and maintains a plethora of software products.
>>
>
Spell checker got me - I meant “httpd”, not “https”.
- Chuck
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: how to reload SSL certificates without restarting Tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Jerry,
On 3/11/24 14:51, Jerry Lin wrote:
> Hi Chris,
>
> There is also this:
>> https://tomcat.apache.org/presentations.html#latest-lets-encrypt
>>
>> It's very LE-focused, but it shows you how to programmatically trigger a
>> reload.
>>
>
> Thanks for your presentation and script. We are using Let's Encrypt, so
> your material is quite relevant.
If I were to present that material today, it would be a lot shorter. In
fact, I was asked last-minute to fill-in for a missing speaker in
Halifax and I updated that presentation a bit and made it more of a
conversation with the audience.
I hadn't included anything about the automatic-update feature Tomcat has
added since the previous staging of that presentation and afterwards I
went in and removed something like 40% of the material in the presentation.
So it's all perfectly valid, but it's even easier to use LE with Tomcat,
now.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: how to reload SSL certificates without restarting Tomcat
Posted by Jerry Lin <je...@lincircle.com>.
Hi Chris,
There is also this:
> https://tomcat.apache.org/presentations.html#latest-lets-encrypt
>
> It's very LE-focused, but it shows you how to programmatically trigger a
> reload.
>
Thanks for your presentation and script. We are using Let's Encrypt, so
your material is quite relevant.
Jerry
Re: how to reload SSL certificates without restarting Tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Jerry,
On 3/10/24 16:00, Jerry Lin wrote:
> Hi Chuck,
>
> Presumably, you mean “not behind https", since “Apache” refers to the
>> organization that develops and maintains a plethora of software products.
>>
>
> Yes, “not behind https" (I meant not behind an Apache HTTP server)
>
>
>> you can configure the TLS config listener:
>>
>>
>> https://tomcat.apache.org/tomcat-10.1-doc/config/listeners.html#TLS_configuration_reload_listener_-_org.apache.catalina.security.TLSCertificateReloadListener
>
>
> Great, thanks! This is what I was looking for.
There is also this:
https://tomcat.apache.org/presentations.html#latest-lets-encrypt
It's very LE-focused, but it shows you how to programmatically trigger a
reload.
Chuck's reference to the auto-reloading is even better if you don't mind
the background process checking for you, instead of
proactively-triggering the reload.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: how to reload SSL certificates without restarting Tomcat
Posted by Jerry Lin <je...@lincircle.com>.
Hi Chuck,
Presumably, you mean “not behind https", since “Apache” refers to the
> organization that develops and maintains a plethora of software products.
>
Yes, “not behind https" (I meant not behind an Apache HTTP server)
> you can configure the TLS config listener:
>
>
> https://tomcat.apache.org/tomcat-10.1-doc/config/listeners.html#TLS_configuration_reload_listener_-_org.apache.catalina.security.TLSCertificateReloadListener
Great, thanks! This is what I was looking for.
Regards,
Jerry
Re: how to reload SSL certificates without restarting Tomcat
Posted by Chuck Caldarale <n8...@gmail.com>.
> On Mar 10, 2024, at 12:39, Jerry Lin <je...@lincircle.com> wrote:
>
> For those of us with a publicly accessible instance of Tomcat (e.g. not
> behind Apache), is there a good way of having a renewed SSL/HTTPS
> certificate take effect without restarting Tomcat?
Presumably, you mean “not behind https", since “Apache” refers to the organization that develops and maintains a plethora of software products.
If you’re running on a supported version of Tomcat (you didn’t tell us what level you’re using), you can configure the TLS config listener:
https://tomcat.apache.org/tomcat-10.1-doc/config/listeners.html#TLS_configuration_reload_listener_-_org.apache.catalina.security.TLSCertificateReloadListener
https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html#TLS_configuration_reload_listener_-_org.apache.catalina.security.TLSCertificateReloadListener
https://tomcat.apache.org/tomcat-8.5-doc/config/listeners.html#TLS_configuration_reload_listener_-_org.apache.catalina.security.TLSCertificateReloadListener
- Chuck
AW: how to reload SSL certificates without restarting Tomcat
Posted by a....@bluewin.ch.
I would have several parallel productive instances, and renew them in sequence to be always online -> on connection will be interrupted with the customer.
Best
Alex
-----Ursprüngliche Nachricht-----
Von: Jerry Lin <je...@lincircle.com>
Gesendet: Sonntag, 10. März 2024 18:40
An: users@tomcat.apache.org
Betreff: how to reload SSL certificates without restarting Tomcat
Hello,
For those of us with a publicly accessible instance of Tomcat (e.g. not behind Apache), is there a good way of having a renewed SSL/HTTPS certificate take effect without restarting Tomcat?
Thank you,
Jerry
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org