-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Johan,
On 10/30/17 9:57 AM, Johan Compagner wrote: >> >> >> How about this? >> >> http://tomcat.apache.org/presentations.html >> >> Search for "Let's Encrypt". >> >> I haven't wired this into Tomcat 8.5 and Tomcat 9.0's capability >> to re-load a keystore yet. I'm not sure there is JMX support for >> that, yet, so that would be a prerequisite IMO. > > Thx, you are doing almost the same as my (why do you use the > keytool, you can use the p12file (openssl output file) directly > right? (at least i do that) This was written to be used with Tomcat 8 with the Java-based connectors and a Java keystore. If OpenSSL is being used, the PEM files can be used directly. There are no scriptable tools I know of that generate JKS files other than keytool. Use of pkcs12 files is certainly possible. Oddly enough, there was a bug recently with Tomcat where pkcs12 files specifically did not work under certain circumstances. JKS files are certainly more popular than pkcs12 files under Java, though that will finally (and thankfully) be changing with Java 9. > But using that jmx proxy servlet is a good one, will see if that > works for me. It does require the use of the Manager application, unless you want to roll something yourself. Use of JMX locally will be required in either case, unless you want to do something really nasty to reach-into Tomcat's internals to reload the keystore. > The only thing left then is that "certbot-auto renew" should > really give me some feedback that it really did renew Else i > constantly generate the p12file for tomcat and start/stop the > connector Maybe i can monitor the pem file that certbot will be > touching if something did renew somehow. This line of my script does roughly that: if [ "${LE_BASE}/cert.pem" -nt "${CATALINA_BASE}/${HOSTNAME}.jks" ] ; th en It checks to see if the certificate is newer than the keystore, and only re-builds the keystore and bounces Tomcat if it needs to happen. I'm open to any suggestions to improve those scripts or the presentation. I'm likely to give a similar presentation in the future, and I'd be happy to incorporate some of your suggestions into it. Thanks, - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln3NUcACgkQHPApP6U8 pFghjg//UQvD575jaXiuI+DXY7mQ5c0HXQC/x4qJjdWiV7Kxu9+JkKuIW0dqCNAa 8UOa/lAYFweHU6vgbj98XBUwLucg4z7tCOGfvzd3BHH+4n/SdP/Ro3731gFgYXLZ aRXrYOvb0NtkcFuqfLpHhv1CPisYyn1IyPSEYop/ScBvWZF9fy1RHuNGwrIulD6Q ZudKS8kLnS360mqAoOv2n21d7PvULiZ0MQwsNguWxu7Aw7ItvMUmq0Klc5vqar9Q Zf/54rx2buWiCs6mw1qfaAAWIPY8cEyKRfbWtQnJ9IhtnQ/nVKaFHuOF3tXN+YpL tvnebcUB1rBOaYqbjWb6Ek5ir+1qpxLLVn2oN0pZtpo57YwowwUQzzrwtdvkgznk k325AkMTBZlTHZtYJfUj53re6hqcsxckjV4xrTQqE6klZrnGRjmmUCl4CqV/HyhT R3T3ROQebhDxdjHd6WIt01LAGGioLyT2xKEXTRF6CFLyLmnrTObzNE+eyaurpN20 WGmZYaxVecbM/FQ9n6Tud1LSsRN1xtFh1LYN4XBVrm0St8PzHKPTtV7kpFXUamE/ m/Fxj6kKGTn/PKyDgyV1NQQscGcCXJ8SlXD07wnFDjretL1HV57hl80uzYD5IrC3 wul8WGo0aY2/Rfsimk4E1eU+vQdkJysl/NyleDT46JvA4lOkfE4= =0aRD -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
