On 26 October 2017 14:36:03 BST, Christopher Schultz <ch...@christopherschultz.net> wrote: >Mark, > >On 10/26/17 8:54 AM, Mark Thomas wrote: >> On 26/10/2017 09:31, Johan Compagner wrote: >>> Hi, >>> >>> now with LetsCrypt its easy (and free) to get https up and >>> running even if you just use tomcat But the problem is those >>> certificate must be renewed every 3 months This is easy to do in >>> a crontab script (that does the renew and makes a java keystore >>> again) So i can generate the pfx constantly just fine >>> >>> But does tomcat monitor that file for changes and will it then >>> use the new one without restarting the whole server? >> >> Currently, no. >> >> We have just added the ability to 9.0.x and 8.5.x to reload the >> certificate file on the fly. > >Can you point me to some specific commits that implement that? I've >been dragging my feet on the work to reload *everything* and if the >cert-reloading has already been done, then it seems that most -- if >not all -- the work I expected to do is already done.
http://svn.apache.org/viewvc?view=revision&revision=1808482 Mark > >One of the reasons I hadn't done it yet was because I wasn't sure >about which of the many Tomcat components should warehouse that >code... there are so many layers and I don't understand exactly which >ones are responsible for what things. > >Do these patches include replacing the SSLContext, or only the key >material that is being used for the handshake for an existing >SSLContext >? It provides a new SSLContext that will be used for all new connections. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org