-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Peter,
On 12/27/19 11:27, logo wrote:
> Am 2019-12-27 16:40, schrieb Christopher Schultz: That's the plan.
> In Las Vegas, Christopher Tubbs did say to me "aw, I was really
> hoping for you to tell us that you just set letsEncrypt="true" in
> your configuration and you are done". So there is definitely more
> that can be done, here.
>
> The plan was to try to get someone to integrate my script (or
> equivalent) into certbot or other ACME clients. Maybe what we
> really need is a command that can be run that "gracefully" restarts
> the server -- like httpd already does. There is no reason to
> actually restart the server -- just reinitialize the TLS engine for
> the connector. So maybe what we need is a script that basically
> just hits the jmxproxy to reinit the connector and tell certbot to
> use that when it's done with the ACME stuff.
>
>> oh I get the idea! a hook-script, right?
Yeah, I guess. certbot basically runs "apachectl graceful" when you
are using the "apache" plug-in. If we had a "tomcat" plug-in, maybe
that could run "tomcatctl graceful" and that just pings the manager
application. Unfortunately, it needs a bunch of configuration like the
hostname and port number to use, username/password, which connector to
bounce, etc.
>> Like the 2nd part of your script. well specifically it could
>> reload only the SSLHostConfig affected by this new cert curl
>> "https:/$JMXUSER:$JMXPASSWORD@localhost:${SERVICE_PORT}/manager/jmxpr
oxy?invoke=Catalina:type=ProtocolHandler,port={CONNECTOR_PORT}&op=reload
SslHostConfig&ps=${HOSTNAME}"
Right,
>>
but the idea is that certbot has "plug-ins" and we'd need to
supply a "tomcat" plug-in that did things like this. I'm not sure
where the best place to keep configuration would be. Someone who
understands certbot (or autobot, etc.) would be a better resource than m
e.
>> Or did you think about a bin/version.sh type script? That would
>> get a +1 from me.
What do you mean?
>> What I don't like is, that one needs to add credentials in
>> tomcat-users.xml and expose the manager-interface.
You can use other authentication mechanisms... it's just that usually
nobody bothers since it's easy to configure tomcat-users.xml. Exposing
the manager interface is a bit of pain, but it can be scripted. Our
deployments install a proper tomcat-users.xml file and enable the
manager, locked-down to localhost connections.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4GZh8ACgkQHPApP6U8
pFjw8hAAqpsfbF/25K9A8l6ZFLoLrO+9C7z+86i1KLI/91VMylTxe/9Im8+Id/jG
4AOXOov5m8SvzBQIDnjnSbUrVAvZ9J36pzlH4FoAxDQoZY3DWmyGPPa7S56OKG0g
Ha3rS5QziBjV9XbSuCL+6hbt4VBLVY0aRT9dvkDahiN42j2cczc2AOi1GxSf1WbY
iIYO8c1yfJvF/4wo7lBE6WpLRJb3RVI9psRuDm/yaMGY/nBzzNbYvhgB+pM/m0dw
Ls+w2HC6X8dq+0jV33FH1MdEY6yroH2gapclLcaeJ1yB2uke2cvGo0/vi3MdzOYK
CndNSfQrXTeyawWcgj4DjQZy9koBeXfdDXC18cFOKLvceMmV6UG8jwSBSVDjhYml
Ut9W7+GPYn8fBej9I/PaLRB3VAS47pRjY6MjA+AEMZxdowyOiNpc6E5snP4N+J9u
s3wTL9gfPGIOrrIilSPD9eIIHGExZ5na3FxuVV1grGSOMAq8EoJRn9iCBjyrYwuF
JsKXtvG2e91r/pvSL/zTDufoZysVvf4aUrgnxA9kY8lp+3O6+3U/5FTLWWtc7Fcj
ljjb87yda57Zvb/KU95GBakDt8+3fbMMyhHeUAANWrSMPIN5astpacBdDRD5F1KH
HNW5QTmxG56D0yaM3/pKPpoFBMqojtCen6MO8ZVkSN9Qv4H3NKo=
=SHiE
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
