-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 10/26/17 8:54 AM, Mark Thomas wrote: > On 26/10/2017 09:31, Johan Compagner wrote: >> Hi, >> >> now with LetsCrypt its easy (and free) to get https up and >> running even if you just use tomcat But the problem is those >> certificate must be renewed every 3 months This is easy to do in >> a crontab script (that does the renew and makes a java keystore >> again) So i can generate the pfx constantly just fine >> >> But does tomcat monitor that file for changes and will it then >> use the new one without restarting the whole server? > > Currently, no. > > We have just added the ability to 9.0.x and 8.5.x to reload the > certificate file on the fly. Can you point me to some specific commits that implement that? I've been dragging my feet on the work to reload *everything* and if the cert-reloading has already been done, then it seems that most -- if not all -- the work I expected to do is already done. One of the reasons I hadn't done it yet was because I wasn't sure about which of the many Tomcat components should warehouse that code... there are so many layers and I don't understand exactly which ones are responsible for what things. Do these patches include replacing the SSLContext, or only the key material that is being used for the handshake for an existing SSLContext ? > It should be relatively easy to add a component that watches for > changes to the cert file (or any of the other files) and trigger a > reload as required. I suggest opening an enhancement request in > Bugzilla. +1 > Whether it is a whole new component or just something that gets > added to the existing back ground processing framework for an > existing component is TBD. > > If you'd like to work on a patch to implement this, pop over to the > dev list and we'll point you in the right direction. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnx5MMACgkQHPApP6U8 pFjxfw//aKlCe4jMAFdLP1djFjcmlO3vfmrFaf+mHdhLS4c6WMSk4+yIxzUsowDx TeKpdGOK02RTVRg1MC9AB5Y00H5bs5ztuOOdYMODS4qMzKm69NJTURuAraWJ1hbi vvn+8Yg77P8/6MDBwoooh3z96WpDENbP3ROZan3reWf2ViBPBbVyoNbNb1pESvow ZKFzP6fntKc1ecqOxmXPj3Uu0R0pul4FF16CSz6JD2T90Ws9Rf8vAqd54F/RKngn 2WrKtTr08F2kZoSo+qI6O21dUcbEWh8gvtaLtPNMo4YpIqZsE7mXfU3ZDSEKLK+q pQPQluICNt+5QPaYIKIqy20t2mAFS/K2QSnIdkGqJuEt4wXYuZ45x3rck5VpC8tJ P9+NcQmS2hUqeJKjWDLX98W6H5BsEAsX6gGZP9beA7RsBOk+7TmL+MRGf+BOI3Cy dJ845nM3ecnhlz7OtIvJopC87QM0LpWKAtbKkqHLShzo4lXgaDzcyCOb6m/ozGGG mhesNbX5fDZfUI4dMR95Wgp5Xpvf2drYszvWCnl/cgtEYc+anUh47ADNIc8h6KnF KLXBOAV+MuVEWFIi1HfCWrpwoIYQQGNTsYlBSEvNsBUd20IGQ25+xII4ERtXKXbA fw2OHtgqtF2KtHsIwLXFaMHJN+EXIRPbMY/Fwu04A5utGN6iVfw= =yrp/ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org