-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Johan,

On 10/30/17 9:57 AM, Johan Compagner wrote:
>> 
>> 
>> How about this?
>> 
>> http://tomcat.apache.org/presentations.html
>> 
>> Search for "Let's Encrypt".
>> 
>> I haven't wired this into Tomcat 8.5 and Tomcat 9.0's capability
>> to re-load a keystore yet. I'm not sure there is JMX support for
>> that, yet, so that would be a prerequisite IMO.
> 
> Thx, you are doing almost the same as my (why do you use the
> keytool, you can use the p12file (openssl output file) directly
> right? (at least i do that)

This was written to be used with Tomcat 8 with the Java-based
connectors and a Java keystore. If OpenSSL is being used, the PEM
files can be used directly. There are no scriptable tools I know of
that generate JKS files other than keytool.

Use of pkcs12 files is certainly possible. Oddly enough, there was a
bug recently with Tomcat where pkcs12 files specifically did not work
under certain circumstances. JKS files are certainly more popular than
pkcs12 files under Java, though that will finally (and thankfully) be
changing with Java 9.

> But using that jmx proxy servlet is a good one, will see if that
> works for me.

It does require the use of the Manager application, unless you want to
roll something yourself. Use of JMX locally will be required in either
case, unless you want to do something really nasty to reach-into
Tomcat's internals to reload the keystore.

> The only thing left then is that  "certbot-auto renew" should
> really give me some feedback that it really did renew Else i
> constantly generate the  p12file for tomcat and start/stop the 
> connector Maybe i can monitor the pem file that certbot will be
> touching if something did renew somehow.

This line of my script does roughly that:

if [ "${LE_BASE}/cert.pem" -nt "${CATALINA_BASE}/${HOSTNAME}.jks" ] ; th
en

It checks to see if the certificate is newer than the keystore, and
only re-builds the keystore and bounces Tomcat if it needs to happen.

I'm open to any suggestions to improve those scripts or the
presentation. I'm likely to give a similar presentation in the future,
and I'd be happy to incorporate some of your suggestions into it.

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln3NUcACgkQHPApP6U8
pFghjg//UQvD575jaXiuI+DXY7mQ5c0HXQC/x4qJjdWiV7Kxu9+JkKuIW0dqCNAa
8UOa/lAYFweHU6vgbj98XBUwLucg4z7tCOGfvzd3BHH+4n/SdP/Ro3731gFgYXLZ
aRXrYOvb0NtkcFuqfLpHhv1CPisYyn1IyPSEYop/ScBvWZF9fy1RHuNGwrIulD6Q
ZudKS8kLnS360mqAoOv2n21d7PvULiZ0MQwsNguWxu7Aw7ItvMUmq0Klc5vqar9Q
Zf/54rx2buWiCs6mw1qfaAAWIPY8cEyKRfbWtQnJ9IhtnQ/nVKaFHuOF3tXN+YpL
tvnebcUB1rBOaYqbjWb6Ek5ir+1qpxLLVn2oN0pZtpo57YwowwUQzzrwtdvkgznk
k325AkMTBZlTHZtYJfUj53re6hqcsxckjV4xrTQqE6klZrnGRjmmUCl4CqV/HyhT
R3T3ROQebhDxdjHd6WIt01LAGGioLyT2xKEXTRF6CFLyLmnrTObzNE+eyaurpN20
WGmZYaxVecbM/FQ9n6Tud1LSsRN1xtFh1LYN4XBVrm0St8PzHKPTtV7kpFXUamE/
m/Fxj6kKGTn/PKyDgyV1NQQscGcCXJ8SlXD07wnFDjretL1HV57hl80uzYD5IrC3
wul8WGo0aY2/Rfsimk4E1eU+vQdkJysl/NyleDT46JvA4lOkfE4=
=0aRD
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to