Re: Dynamic reloading of SSL certificates

[Romain Manni-Bucau <rm...@gmail.com>]

Hello guys,

wonder if this thread went anywhere? Would be very neat to have a let's
encrypt integration (don't know if it would be a listener to declare to
have automatic reloading or just a flag on the SSL config but it would ease
deploying self hosted instances).


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://blog-rmannibucau.rhcloud.com> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>

2017-01-23 23:18 GMT+01:00 Christopher Schultz <chris@christopherschultz.net
>:

> Mark and Emmanuel,
>
> On 1/23/17 5:01 AM, Mark Thomas wrote:
> > On 23/01/2017 09:36, Emmanuel Bourg wrote:
> >> Hi all,
> >>
> >> With the fast adoption of Let's Encrypt many people are interested in
> >> integrating it with Tomcat. A first step was to ensure that Tomcat can
> >> directly use the PEM certificates generated by the letsencrypt/certbot
> >> client. An important aspect of Let's Encrypt is automation, the
> >> certificates are relatively short lived (90 days) and must be updated
> >> automatically. AFAIK there is no easy way yet to reload a connector in
> >> Tomcat to pick a new certificate. The administrator either has to
> >> restart Tomcat (bad in a production environment) or do some JMX tricks
> >> [1] (but JMX must be enabled and secured properly).
> >>
> >> I'm wondering if it would be possible for Tomcat to monitor the
> >> certificates/keystore files and reload the associated connectors
> >> automatically? If there is a consensus on this feature I'd be interested
> >> in implementing it.
> >
> > For background reading:
> >
> > http://tomcat.markmail.org/thread/fthbtwuozidno6lw
> >
> > http://tomcat.markmail.org/thread/753blzkslmifcvh4
>
> Yep. I'm also planning on giving a presentation about this exact topic
> at ApacheCon in Miami.
>
> -chris
>
>

Re: Dynamic reloading of SSL certificates

[Mark Thomas <ma...@apache.org>]

On 30/06/18 16:27, Christopher Schultz wrote:
> On 6/29/18 5:06 PM, Mark Thomas wrote:

<snip/>

>> Ah! Those are only in 9.0.x. Are you looking at 8.5.x? It looks like a
>> back-port is required.
> 
> Yes, sorry, I am indeed looking at 8.5.x. Back-ports would be greatly
> appreciated.

Done.

> As for the methods in Protocol + Connector, I'm okay keeping them in the
> ProtocolHandler classes for the reasons you mention. The only problem is
> that nobody will ever guess to look there, so we have to find a way to
> document that in a way that will direct people to look there for the
> appropriate runtime-related methods.
> 
> I'll take a look at the users guide as I prep for my Let's Encrypt
> presentation for ApacheCon and hopefully make some improvements.

Sounds good.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Dynamic reloading of SSL certificates

[Christopher Schultz <ch...@christopherschultz.net>]

Mark,

On 6/29/18 5:06 PM, Mark Thomas wrote:
> On 29/06/18 21:58, Christopher Schultz wrote:
>> On 6/27/18 4:59 PM, Mark Thomas wrote:
>>> On 27/06/18 17:21, Christopher Schultz wrote:
> 
> <snip/>
> 
>>>> any objection to taking this code and putting it into the
>>>> Connector under the public method reloadSSLHostConfig to make it (a)
>>>> accessible via JMX and (b) easy to access?
>>>
>>> Yes.
>>>
>>> The operations are already accessible via JMX on the ProtocolHandlers.
>>> As the refactoring has progressed there has been a steady shift away
>>> from duplicating attributes and methods between the Connector, Protocol
>>> and endpoint. I think there will always need to be some duplication but
>>> it has been trending downwards.
>>
>> The (somewhat related) operations I see on the ProtocolHandler are:
>>
>> findSslHostConfigs
>> addSslHostConfig
>>
>> Let's say I want to trigger a CRL or keystore reload via the
>> JMXProxyServlet. How would I go about doing that using the above
>> methods? Or am I missing something?
> 
> AbstractHttp11Protocol.reloadSslHostConfigs()
> AbstractHttp11Protocol.reloadSslHostConfig(String)
> 
> Ah! Those are only in 9.0.x. Are you looking at 8.5.x? It looks like a
> back-port is required.

Yes, sorry, I am indeed looking at 8.5.x. Back-ports would be greatly
appreciated.

As for the methods in Protocol + Connector, I'm okay keeping them in the
ProtocolHandler classes for the reasons you mention. The only problem is
that nobody will ever guess to look there, so we have to find a way to
document that in a way that will direct people to look there for the
appropriate runtime-related methods.

I'll take a look at the users guide as I prep for my Let's Encrypt
presentation for ApacheCon and hopefully make some improvements.

-chris

Re: Dynamic reloading of SSL certificates

[Mark Thomas <ma...@apache.org>]

On 29/06/18 21:58, Christopher Schultz wrote:
> On 6/27/18 4:59 PM, Mark Thomas wrote:
>> On 27/06/18 17:21, Christopher Schultz wrote:

<snip/>

>>> any objection to taking this code and putting it into the
>>> Connector under the public method reloadSSLHostConfig to make it (a)
>>> accessible via JMX and (b) easy to access?
>>
>> Yes.
>>
>> The operations are already accessible via JMX on the ProtocolHandlers.
>> As the refactoring has progressed there has been a steady shift away
>> from duplicating attributes and methods between the Connector, Protocol
>> and endpoint. I think there will always need to be some duplication but
>> it has been trending downwards.
> 
> The (somewhat related) operations I see on the ProtocolHandler are:
> 
> findSslHostConfigs
> addSslHostConfig
> 
> Let's say I want to trigger a CRL or keystore reload via the
> JMXProxyServlet. How would I go about doing that using the above
> methods? Or am I missing something?

AbstractHttp11Protocol.reloadSslHostConfigs()
AbstractHttp11Protocol.reloadSslHostConfig(String)

Ah! Those are only in 9.0.x. Are you looking at 8.5.x? It looks like a
back-port is required.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Dynamic reloading of SSL certificates

[Christopher Schultz <ch...@christopherschultz.net>]

Mark,

On 6/27/18 4:59 PM, Mark Thomas wrote:
> On 27/06/18 17:21, Christopher Schultz wrote:
>> Romain,
>>
>> On 6/27/18 11:50 AM, Romain Manni-Bucau wrote:
>>> up? any hope we have live reloading of certs in tomcat?
>>
>> Yup. Recent versions allow you to reload the SSLHostConfigs.
>>
>> I was getting ready to update my presentation on Let's Encrypt,
>> actually, so this was a good nudge to actually do that.
>>
>> I thought the operation would be exposed via JMX, but it does not
>> appear to be so. It's in the Manager application.
>>
>> Have a look at what ManagerServlet.sslReload() does.
>>
>> markt,
> 
> Probably better to ask the dev list as a whole rather than just me. My
> view should carry the same weight as every one else's.

Agreed. I just knew that you happened to have written this code and
maybe you'd say something like ...

>> any objection to taking this code and putting it into the
>> Connector under the public method reloadSSLHostConfig to make it (a)
>> accessible via JMX and (b) easy to access?
> 
> Yes.
> 
> The operations are already accessible via JMX on the ProtocolHandlers.
> As the refactoring has progressed there has been a steady shift away
> from duplicating attributes and methods between the Connector, Protocol
> and endpoint. I think there will always need to be some duplication but
> it has been trending downwards.

The (somewhat related) operations I see on the ProtocolHandler are:

findSslHostConfigs
addSslHostConfig

Let's say I want to trigger a CRL or keystore reload via the
JMXProxyServlet. How would I go about doing that using the above
methods? Or am I missing something?

-chris

Re: Dynamic reloading of SSL certificates

[Mark Thomas <ma...@apache.org>]

On 27/06/18 17:21, Christopher Schultz wrote:
> Romain,
> 
> On 6/27/18 11:50 AM, Romain Manni-Bucau wrote:
>> up? any hope we have live reloading of certs in tomcat?
> 
> Yup. Recent versions allow you to reload the SSLHostConfigs.
> 
> I was getting ready to update my presentation on Let's Encrypt,
> actually, so this was a good nudge to actually do that.
> 
> I thought the operation would be exposed via JMX, but it does not
> appear to be so. It's in the Manager application.
> 
> Have a look at what ManagerServlet.sslReload() does.
> 
> markt,

Probably better to ask the dev list as a whole rather than just me. My
view should carry the same weight as every one else's.

(OK, being pedantic the committers views in theory carry more weight
because they can veto a change but in practise if anyone feels that
strongly about an issue then it probably needs more discussion.)

> any objection to taking this code and putting it into the
> Connector under the public method reloadSSLHostConfig to make it (a)
> accessible via JMX and (b) easy to access?

Yes.

The operations are already accessible via JMX on the ProtocolHandlers.
As the refactoring has progressed there has been a steady shift away
from duplicating attributes and methods between the Connector, Protocol
and endpoint. I think there will always need to be some duplication but
it has been trending downwards.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Dynamic reloading of SSL certificates

[Romain Manni-Bucau <rm...@gmail.com>]

+1 for connectors IMHO

Le mer. 27 juin 2018 18:21, Christopher Schultz <
chris@christopherschultz.net> a écrit :

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Romain,
>
> On 6/27/18 11:50 AM, Romain Manni-Bucau wrote:
> > up? any hope we have live reloading of certs in tomcat?
>
> Yup. Recent versions allow you to reload the SSLHostConfigs.
>
> I was getting ready to update my presentation on Let's Encrypt,
> actually, so this was a good nudge to actually do that.
>
> I thought the operation would be exposed via JMX, but it does not
> appear to be so. It's in the Manager application.
>
> Have a look at what ManagerServlet.sslReload() does.
>
> markt, any objection to taking this code and putting it into the
> Connector under the public method reloadSSLHostConfig to make it (a)
> accessible via JMX and (b) easy to access?
>
> We have several options when it comes to JMX operations:
>
> 1. Connector
> 2. ProcotolHandler
> 3. SSLHostConfig
>
> #3 doesn't make much sense, since SSLHostConfigs are the ones that
> were loaded, and presumably will be replaced when a "reload" happens.
>
> #2 would work fine, except that:
>
> a. Everyone will look on the Connector first
> and
> b. The ProtocolHandler doesn't know if SSLEnabled=true on the connector
>
> So I think this is best-done on the Connector.
>
> Any comments or suggestions?
>
> - -chris
>
> >
> > Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> |
> > Blog <https://rmannibucau.metawerx.net/> | Old Blog
> > <http://rmannibucau.wordpress.com> | Github
> > <https://github.com/rmannibucau> | LinkedIn
> > <https://www.linkedin.com/in/rmannibucau> | Book
> > <https://www.packtpub.com/application-development/java-ee-8-high-perfo
> rmance>
> >
> >
> >
> > Le mar. 2 janv. 2018 à 17:00, Romain Manni-Bucau
> > <rm...@gmail.com> a écrit :
> >
> >> Yes, if tomcat can supports hot reloading of certs it is very
> >> feasible:
> >> https://github.com/rmannibucau/letsencrypt-manager/blob/master/src/ma
> in/java/com/github/rmannibucau/letsencrypt/manager/LetsEncryptManager.ja
> <https://github.com/rmannibucau/letsencrypt-manager/blob/master/src/main/java/com/github/rmannibucau/letsencrypt/manager/LetsEncryptManager.ja>
> va
> >>
> >>
> >>
> >>
> Romain Manni-Bucau
> >> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> >> <https://rmannibucau.metawerx.net/> | Old Blog
> >> <http://rmannibucau.wordpress.com> | Github
> >> <https://github.com/rmannibucau> | LinkedIn
> >> <https://www.linkedin.com/in/rmannibucau>
> >>
> >> 2018-01-02 16:56 GMT+01:00 Emmanuel Bourg <eb...@apache.org>:
> >>
> >>> Le 02/01/2018 à 09:40, Romain Manni-Bucau a écrit :
> >>>> up?
> >>>
> >>> I haven't got much time to look into this yet. However since
> >>> Let's Encrypt client implementations in Java are starting to
> >>> appear [1] I wonder if the certificate renewal process could be
> >>> directly integrated into Tomcat instead of relying on an
> >>> external client such as certbot.
> >>>
> >>> Emmanuel Bourg
> >>>
> >>> [1] https://github.com/shred/acme4j
> >>>
> >>
> >>
> >
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlszuY4ACgkQHPApP6U8
> pFgxRA//Zsf+/zHUtTx1bVLFtJM7pYSHbdxepQRTCnEN4IS5dAeBSx7zI7w/OSV/
> Dt3Fd8dglDrimoYNEt4EWCAo0HNJjJkEsW9UbJPx0riyHQjqW4/wrSFFoWyDLmUg
> IEalbxZ++9MYlIcRAVwJRQ4lfze9g+e1CmkEyN3j3CZuq7mQp+5U9EEX8QkuI3Ig
> cRZfjztWST6Nsec88Y08w7VE+HYvTDQGG/0rzaeeJrQJ7zANxy2YtyBujzCTV3LK
> 2wzOMrc63X4VMGISwbimhFWRwfzwkwYmUZXOhCa0OW5/Ob56x/LVYtlRykfQAYbT
> xTIyaY+hc3cdbbDNEWymef6FbILbA7lOUOy0qhH2Aiv47gPCTIYyvDkYPr+tjoYo
> 5F+gqfTmy3qfBOBbRpcWcC9ySu5CdGvwP9YIMY8Q6ko8y/ySw26CK2XQH8Nm4yca
> os0zhOu2GzI0P202yGVavoSjLYsdJxDHCIcIRLowbCVBnp6bY1kL/dgGtyQoC7oi
> K9Yoz9LmjDJC+DkLSidZEugyGRCihI5fEAH9f1ftSDoCjMeYUMJ5dcOeiU2Vu5Ix
> CyYmiIgIDeWOitJJOOV38ogdGo8pGWJvFWymOt41BROtiS7OOTnURcc3Nx65C5mE
> odkio+xWznTt09a4Fb4cE9s1CoUIZ79ZkjFf2L4PY+xc27T5xvs=
> =8dT7
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>

Re: Dynamic reloading of SSL certificates

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Romain,

On 6/27/18 11:50 AM, Romain Manni-Bucau wrote:
> up? any hope we have live reloading of certs in tomcat?

Yup. Recent versions allow you to reload the SSLHostConfigs.

I was getting ready to update my presentation on Let's Encrypt,
actually, so this was a good nudge to actually do that.

I thought the operation would be exposed via JMX, but it does not
appear to be so. It's in the Manager application.

Have a look at what ManagerServlet.sslReload() does.

markt, any objection to taking this code and putting it into the
Connector under the public method reloadSSLHostConfig to make it (a)
accessible via JMX and (b) easy to access?

We have several options when it comes to JMX operations:

1. Connector
2. ProcotolHandler
3. SSLHostConfig

#3 doesn't make much sense, since SSLHostConfigs are the ones that
were loaded, and presumably will be replaced when a "reload" happens.

#2 would work fine, except that:

a. Everyone will look on the Connector first
and
b. The ProtocolHandler doesn't know if SSLEnabled=true on the connector

So I think this is best-done on the Connector.

Any comments or suggestions?

- -chris

> 
> Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> |
> Blog <https://rmannibucau.metawerx.net/> | Old Blog 
> <http://rmannibucau.wordpress.com> | Github
> <https://github.com/rmannibucau> | LinkedIn
> <https://www.linkedin.com/in/rmannibucau> | Book 
> <https://www.packtpub.com/application-development/java-ee-8-high-perfo
rmance>
>
> 
> 
> Le mar. 2 janv. 2018 à 17:00, Romain Manni-Bucau
> <rm...@gmail.com> a écrit :
> 
>> Yes, if tomcat can supports hot reloading of certs it is very
>> feasible: 
>> https://github.com/rmannibucau/letsencrypt-manager/blob/master/src/ma
in/java/com/github/rmannibucau/letsencrypt/manager/LetsEncryptManager.ja
va
>>
>>
>>
>> 
Romain Manni-Bucau
>> @rmannibucau <https://twitter.com/rmannibucau> |  Blog 
>> <https://rmannibucau.metawerx.net/> | Old Blog 
>> <http://rmannibucau.wordpress.com> | Github 
>> <https://github.com/rmannibucau> | LinkedIn 
>> <https://www.linkedin.com/in/rmannibucau>
>> 
>> 2018-01-02 16:56 GMT+01:00 Emmanuel Bourg <eb...@apache.org>:
>> 
>>> Le 02/01/2018 à 09:40, Romain Manni-Bucau a écrit :
>>>> up?
>>> 
>>> I haven't got much time to look into this yet. However since
>>> Let's Encrypt client implementations in Java are starting to
>>> appear [1] I wonder if the certificate renewal process could be
>>> directly integrated into Tomcat instead of relying on an
>>> external client such as certbot.
>>> 
>>> Emmanuel Bourg
>>> 
>>> [1] https://github.com/shred/acme4j
>>> 
>> 
>> 
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlszuY4ACgkQHPApP6U8
pFgxRA//Zsf+/zHUtTx1bVLFtJM7pYSHbdxepQRTCnEN4IS5dAeBSx7zI7w/OSV/
Dt3Fd8dglDrimoYNEt4EWCAo0HNJjJkEsW9UbJPx0riyHQjqW4/wrSFFoWyDLmUg
IEalbxZ++9MYlIcRAVwJRQ4lfze9g+e1CmkEyN3j3CZuq7mQp+5U9EEX8QkuI3Ig
cRZfjztWST6Nsec88Y08w7VE+HYvTDQGG/0rzaeeJrQJ7zANxy2YtyBujzCTV3LK
2wzOMrc63X4VMGISwbimhFWRwfzwkwYmUZXOhCa0OW5/Ob56x/LVYtlRykfQAYbT
xTIyaY+hc3cdbbDNEWymef6FbILbA7lOUOy0qhH2Aiv47gPCTIYyvDkYPr+tjoYo
5F+gqfTmy3qfBOBbRpcWcC9ySu5CdGvwP9YIMY8Q6ko8y/ySw26CK2XQH8Nm4yca
os0zhOu2GzI0P202yGVavoSjLYsdJxDHCIcIRLowbCVBnp6bY1kL/dgGtyQoC7oi
K9Yoz9LmjDJC+DkLSidZEugyGRCihI5fEAH9f1ftSDoCjMeYUMJ5dcOeiU2Vu5Ix
CyYmiIgIDeWOitJJOOV38ogdGo8pGWJvFWymOt41BROtiS7OOTnURcc3Nx65C5mE
odkio+xWznTt09a4Fb4cE9s1CoUIZ79ZkjFf2L4PY+xc27T5xvs=
=8dT7
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Dynamic reloading of SSL certificates

[Romain Manni-Bucau <rm...@gmail.com>]

up? any hope we have live reloading of certs in tomcat?

Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>


Le mar. 2 janv. 2018 à 17:00, Romain Manni-Bucau <rm...@gmail.com> a
écrit :

> Yes, if tomcat can supports hot reloading of certs it is very feasible:
> https://github.com/rmannibucau/letsencrypt-manager/blob/master/src/main/java/com/github/rmannibucau/letsencrypt/manager/LetsEncryptManager.java
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <https://rmannibucau.metawerx.net/> | Old Blog
> <http://rmannibucau.wordpress.com> | Github
> <https://github.com/rmannibucau> | LinkedIn
> <https://www.linkedin.com/in/rmannibucau>
>
> 2018-01-02 16:56 GMT+01:00 Emmanuel Bourg <eb...@apache.org>:
>
>> Le 02/01/2018 à 09:40, Romain Manni-Bucau a écrit :
>> > up?
>>
>> I haven't got much time to look into this yet. However since Let's
>> Encrypt client implementations in Java are starting to appear [1] I
>> wonder if the certificate renewal process could be directly integrated
>> into Tomcat instead of relying on an external client such as certbot.
>>
>> Emmanuel Bourg
>>
>> [1] https://github.com/shred/acme4j
>>
>
>

Re: Dynamic reloading of SSL certificates

[Romain Manni-Bucau <rm...@gmail.com>]

Yes, if tomcat can supports hot reloading of certs it is very feasible:
https://github.com/rmannibucau/letsencrypt-manager/blob/master/src/main/java/com/github/rmannibucau/letsencrypt/manager/LetsEncryptManager.java


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau>

2018-01-02 16:56 GMT+01:00 Emmanuel Bourg <eb...@apache.org>:

> Le 02/01/2018 à 09:40, Romain Manni-Bucau a écrit :
> > up?
>
> I haven't got much time to look into this yet. However since Let's
> Encrypt client implementations in Java are starting to appear [1] I
> wonder if the certificate renewal process could be directly integrated
> into Tomcat instead of relying on an external client such as certbot.
>
> Emmanuel Bourg
>
> [1] https://github.com/shred/acme4j
>

Re: Dynamic reloading of SSL certificates

[Emmanuel Bourg <eb...@apache.org>]

Le 02/01/2018 à 09:40, Romain Manni-Bucau a écrit :
> up?

I haven't got much time to look into this yet. However since Let's
Encrypt client implementations in Java are starting to appear [1] I
wonder if the certificate renewal process could be directly integrated
into Tomcat instead of relying on an external client such as certbot.

Emmanuel Bourg

[1] https://github.com/shred/acme4j

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Dynamic reloading of SSL certificates

[Romain Manni-Bucau <rm...@gmail.com>]

up?


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau>

2017-09-05 16:41 GMT+02:00 Romain Manni-Bucau <rm...@gmail.com>:

> Hello guys,
>
> wonder if this thread went anywhere? Would be very neat to have a let's
> encrypt integration (don't know if it would be a listener to declare to
> have automatic reloading or just a flag on the SSL config but it would ease
> deploying self hosted instances).
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <https://blog-rmannibucau.rhcloud.com> | Old Blog
> <http://rmannibucau.wordpress.com> | Github
> <https://github.com/rmannibucau> | LinkedIn
> <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> <https://javaeefactory-rmannibucau.rhcloud.com>
>
> 2017-01-23 23:18 GMT+01:00 Christopher Schultz <
> chris@christopherschultz.net>:
>
>> Mark and Emmanuel,
>>
>> On 1/23/17 5:01 AM, Mark Thomas wrote:
>> > On 23/01/2017 09:36, Emmanuel Bourg wrote:
>> >> Hi all,
>> >>
>> >> With the fast adoption of Let's Encrypt many people are interested in
>> >> integrating it with Tomcat. A first step was to ensure that Tomcat can
>> >> directly use the PEM certificates generated by the letsencrypt/certbot
>> >> client. An important aspect of Let's Encrypt is automation, the
>> >> certificates are relatively short lived (90 days) and must be updated
>> >> automatically. AFAIK there is no easy way yet to reload a connector in
>> >> Tomcat to pick a new certificate. The administrator either has to
>> >> restart Tomcat (bad in a production environment) or do some JMX tricks
>> >> [1] (but JMX must be enabled and secured properly).
>> >>
>> >> I'm wondering if it would be possible for Tomcat to monitor the
>> >> certificates/keystore files and reload the associated connectors
>> >> automatically? If there is a consensus on this feature I'd be
>> interested
>> >> in implementing it.
>> >
>> > For background reading:
>> >
>> > http://tomcat.markmail.org/thread/fthbtwuozidno6lw
>> >
>> > http://tomcat.markmail.org/thread/753blzkslmifcvh4
>>
>> Yep. I'm also planning on giving a presentation about this exact topic
>> at ApacheCon in Miami.
>>
>> -chris
>>
>>
>