-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Richard,
On 6/22/19 17:19, Richard Huntrods wrote: > Apologies if this is really basic, but I've seen two ways of > handling https (SSL) for tomcat and don't understand the > differences. > > The first example uses letsencrypt cert files 'in situ' (i.e. where > they have been created). The second example uses the same files, > but converted by a manual shell script into a single .keystore > file, stored in ./tomcat/keys > > The thing I really don't understand is the different protocols > used. > > Fair warning: the second example is something I've been using for > a while, so it may be out of fashion even though it works. The > first example is "brand new" that I got online and want to use > mainly because it removes the manual conversion step from cert to > .keystore. > > <Connector port="443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate > certificateFile="/etc/letsencrypt/live/mydomain.com/cert.pem" > certificateKeyFile="/etc/letsencrypt/live/mydomain.com/privkey.pem" > > certificateChainFile="/etc/letsencrypt/live/mydomain.com/chain.pem" /> > </SSLHostConfig>> </Connector> The above style of configuration is preferred in Tomcat 8.5 and later. for the reasons Giuseppe wrote in his post. WARNING: you are referencing the files created by tools like certbot. certbot places those files into a series of directories only accessible by root. You are either making them available to a wider audience (in which case you should just think whether that is a good idea, or if your setup will be broken if/when certbot runs again and "repairs" its directories) or you are running Tomcat as root. Both of these are probably not a good idea. Definitely don't run as root. I might consider having your certbot wrapper copy the specific files you need somewhere Tomcat can read them after they are re-generated by certbot. That way, Tomcat can only access the files it actually needs instead of having access to the whole LE directory. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl0QbnEACgkQHPApP6U8 pFjlgA//ZDacvsKWgnMhbxgqxX4uM4Kxao+6rGkS7V7zNrL060GdbicyA8Fpt2Cg LxOyGprMLuWQ3RFoPVGrRefzpV9G6wzBadbQGWB/66o+bo6+/FgcLlNcRKwRohNa RDwyrw4NlkWPzeJli4BeZhsfxIkq0HI4jl7JIRYJxoyESE/Hi5UqPMkDxkIDitWZ rWvqwJjALcNzcFRJ09ptTJAL9x06x+kosO1ioFzPOgagvFyZ9wRiZ0RkdK0hBExC MIG3jBAt6a5xEH3WeGUqE3cbiAbP+U3Mn9iSXl23JyjVPXWlySXULj8TM7YZvNb8 4mCQAEhLZHMKc611upuQiIvlAk2tfv7P0FvGgOvgZILiWKAanr5aYDWIBva5jfek /wfMLOJvdDgNrC87ltKlXsIfpgzT6LKdMrEQOOaE/x/E7IIJJgtOxC/qaWt++LWY sYsgYsmlqlndLeMqpht+aexmImUP2GQoZJMmj+NSoCZg6I+II3Hi1b5nnQfRQu+e sxXT0DMRcWxpEhOGRq8qxA5RcmGkgM6FcXKCkkQn3yLFxDdMC+hDycFTVxZSYolL /jSJvZkvw5ohUfvqRAElcPaS26yMSYTiRiqjq0tY6Oq+SwP47SPtgzYZYMC1FJul LlI1ivhWiSkkrEQQTUeUX0r7soop99tDy9moQV/T90aupCPDOpU= =ES8m -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
