Le sam. 19 déc. 2020 à 17:34, Mladen Adamović <mladen.adamo...@gmail.com> a écrit :
> On Sat, Dec 19, 2020 at 5:06 PM Romain Manni-Bucau <rmannibu...@gmail.com> > wrote: > > > Code can likely be simplified but high level it is just about enabling > > letsencrypt http dance thanks a valve and reloading the cert on update. > > > > Note that acme client is easy to recode to avoid any licensing work so it > > vould be a tomcat-letsencrypt module easily IMHO. > > > > > Thinking more about this problem... instead of this reload SSL > configuration feature, we need fully integrated support for Letsencrypt. > +1 > > On a side note, Tomcat might be lacking a command line manager utility, > having manager running on a port sounds... like we are people who avoid a > command line, no? > It moves the problem elsewhere, how would the CLI communicate with tomcat? JMX, HTTP uses a port, a file based communication would be probably worse because of perms and other admin issues (and just not working in k8s). Personally I think today it is not really an issue because typically it is either automatic or it is not due to the deployers/schedulers we use today (k8s the first one); > > Although I managed my own way of integration, and wrote my own ACME client, > I don't know yet what Tomcat needs to do to be fully Letsencrypt > integrated. > Think what is in meecrowave is more or less what is needed - except the config which is not "tomcat spirit". Main issue is: will known folder be publicly available or hidden behind a proxy preventing the integration to work? But I guess a default integration module can assume it is available. > > Are there someone currently working on easy letsencrypt integration? > If not, Romain (or others who are reading this thread), are there existing > devs who want to do it? > I'm ready to join, if someone wants the assistance, but it would probably > be helpful not to duplicate efforts. > Not active but happy to help if needed. In particular to get a HTTP lets encrypt client not using acme client (plain java 11 client or even http url connection if java 8 is required for this module). > > The question to project maintainers: would be interested in reviewing that > code for inclusion in the codebase? > (I'm not sure yet how it goes, I'm new here. Certainly, the fact that I > never contributed code to the open-source project which wasn't started by > me doesn't help). > Side note: worse case it could fit meecrowave module. Just means making an abstract class and 2 subclasses with configuration 1. tomcat style 2. meecrowave style. Just an idea but can be a home for that module if tomcat is not. > > > > > > > > > > > > > Ideally, users want Tomcat listed here: https://certbot.eff.org/ as a > > > fully > > > supported server. > > > > > > > > > > > > > > > > > > > > > > > > > > Le sam. 19 déc. 2020 à 15:24, Mladen Adamović < > > mladen.adamo...@gmail.com > > > > > > > > a > > > > écrit : > > > > > > > > > On Sat, Dec 19, 2020 at 2:29 PM Christopher Schultz < > > > > > ch...@christopherschultz.net> wrote: > > > > > > > > > > > Why not use cron? You can do this with a single "curl" command > and > > > the > > > > > > Manager+JMXProxyServlet. > > > > > > > > > > > > > > > > We are not using Tomcat manager app. > > > > > > > > > > Why someone should be forced to use Manager, to read/setup the > > > > > documentation regarding JMXProxyServlet, create an additional > > > > > servlet (where does it have dependency on?) only to reload > > > automatically > > > > > certificates? > > > > > > > > > > I'm proposing a solution with the simple SSLHostConfig parameter. > > It's > > > a > > > > > user friendly. Simple, intuitive. > > > > > No need for using manager, no need to create a specific servlet > > > somewhere > > > > > in your code. Just a single server.xml argument. > > > > > > > > > > Also, *another idea*, I'm contributing this code (see below) we are > > > using > > > > > for Letsencrypt ACME challenge. > > > > > Tomcat could also have an option, i.e. in web.xml to automatically > > > > support > > > > > Letsencrypt ACME challenge. > > > > > Idea for web.xml > > > > > <servlet> > > > > > <servlet-name>Letsencrypt-acme</servlet-name> > > > > > > > > > > > > > > > > > > > > > > > > > <servlet-class>org.apache.catalina.servlets.LetsencryptAcmeChallenge</servlet-class> > > > > > <init-param> > > > > > etc. > > > > > </servlet> > > > > > > > > > > > > > > > We are using > > > > > @WebServlet(name = "LetsencryptAcmeChallenge", urlPatterns = > > > > > {"/.well-known/acme-challenge/*"}) > > > > > public class LetsencryptAcmeChallenge extends HttpServlet { > > > > > > > > > > /** > > > > > * Processes requests for both HTTP <code>GET</code> and > > > > > <code>POST</code> methods. > > > > > * > > > > > * @param request servlet request > > > > > * @param response servlet response > > > > > * @throws ServletException if a servlet-specific error occurs > > > > > * @throws IOException if an I/O error occurs > > > > > */ > > > > > protected void processRequest(HttpServletRequest request, > > > > > HttpServletResponse response) > > > > > throws ServletException, IOException { > > > > > String requestUrl = request.getRequestURL().toString(); > > > > > if (requestUrl.contains(".well-known/acme-challenge/")) { > > > > > int indexFilename = requestUrl.lastIndexOf("/") + 1; > > > > > boolean wasError = true; > > > > > if (indexFilename > 0 && indexFilename < > requestUrl.length()) { > > > > > String filename = requestUrl.substring(indexFilename); > > > > > File existingFile = new > > > > > File("/tmp/letsencrypt/public_html/.well-known/acme-challenge/" + > > > > > filename); > > > > > if (existingFile.exists()) { > > > > > response.setContentType("text/plain"); > > > > > OutputStream out = response.getOutputStream(); > > > > > FileInputStream in = new FileInputStream(existingFile); > > > > > FilesOperations.inputStreamToOutputStream(in, out); > > > > > wasError = false; > > > > > } > > > > > } > > > > > if (wasError) { > > > > > throw new ServletException("invalid requestUrl " + > > requestUrl); > > > > > } > > > > > } > > > > > > > > > > from FilesOperations: > > > > > public static void inputStreamToOutputStream(InputStream in, > > > > > OutputStream out) throws IOException { > > > > > try { > > > > > byte[ ] buf = new byte[32 * 1024]; // 32K buffer > > > > > int bytesRead; > > > > > while ((bytesRead = in.read(buf)) != -1) { > > > > > out.write(buf, 0, bytesRead); > > > > > } > > > > > } finally { > > > > > if (in != null) { > > > > > in.close(); > > > > > out.close(); > > > > > } > > > > > } > > > > > } > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Long*: > > > > > > > SSL certificates have a period of expiration and in the case of > > > > > > > Letsencrypt, it's set to 3 months as they think everyone should > > > have > > > > > the > > > > > > > renewal mechanism automatically. > > > > > > > > > > > > > > As the Letsencrypt is the most popular SSL issuing authority > > > (source: > > > > > > > https://trends.builtwith.com/ssl/LetsEncrypt ), I think Tomcat > > > > should > > > > > > have > > > > > > > an integration with Letsencrypt working flawlessly. > > > > > > > > > > > > > > We are currently using the script to renew the certificate (I > can > > > > share > > > > > > our > > > > > > > integration details with whoever is interested, please email me > > if > > > > you > > > > > > are > > > > > > > interested), but it's restarting Tomcat. > > > > > > > > > > > > > > As Tomcat shall not be restarted ever (ideally), I think Tomcat > > > > should > > > > > > have > > > > > > > an option to reload certificate, without a dependency to Tomcat > > > > source > > > > > > code > > > > > > > and "hacks" like some available on StackOverflow: > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://stackoverflow.com/questions/5816239/how-do-i-force-tomcat-to-reload-trusted-certificates > > > > > > ). > > > > > > > Those hacks are no good as: > > > > > > > 1) code to reload certificate should not run inside Java code, > as > > > > > > > letsencrypt is invoked through Linux > > > > > > > 2) each application uses that Stackoverflow hack have > additional > > > > > compile > > > > > > > and run dependency set to Tomcat (which is very bad). > > > > > > > > > > > > > > I have a proposal on how this should be fixed: Tomcat should > > have a > > > > > > > server.xml options something like certificateReloadAfterDays or > > > > > > > reloadAfterDays > > > > > > > > > > > > > > I see this is moved to SSLHostConfig, we are still using old > > > params. > > > > > > > > > > > > > > Do you agree on this feature? > > > > > > > > > > > > > > If so... I'm not lazy to try to do it myself, but as I haven't > > ever > > > > > > written > > > > > > > Tomcat code neither know procedures (I have been coding > > > > professionally > > > > > > > since 2006, but I never committed to Maven or Git project > before, > > > > lol), > > > > > > is > > > > > > > there someone else who is keen on doing this feature? > > > > > > > > > > > > Have a look at this: > > > > > > http://tomcat.apache.org/presentations.html#latest-lets-encrypt > > > > > > > > > > > > -chris > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > > > > > > For additional commands, e-mail: dev-h...@tomcat.apache.org > > > > > > > > > > > > > > > > > > > > > > > > > > >