-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Peter,
On 12/27/19 11:27, logo wrote: > Am 2019-12-27 16:40, schrieb Christopher Schultz: That's the plan. > In Las Vegas, Christopher Tubbs did say to me "aw, I was really > hoping for you to tell us that you just set letsEncrypt="true" in > your configuration and you are done". So there is definitely more > that can be done, here. > > The plan was to try to get someone to integrate my script (or > equivalent) into certbot or other ACME clients. Maybe what we > really need is a command that can be run that "gracefully" restarts > the server -- like httpd already does. There is no reason to > actually restart the server -- just reinitialize the TLS engine for > the connector. So maybe what we need is a script that basically > just hits the jmxproxy to reinit the connector and tell certbot to > use that when it's done with the ACME stuff. > >> oh I get the idea! a hook-script, right? Yeah, I guess. certbot basically runs "apachectl graceful" when you are using the "apache" plug-in. If we had a "tomcat" plug-in, maybe that could run "tomcatctl graceful" and that just pings the manager application. Unfortunately, it needs a bunch of configuration like the hostname and port number to use, username/password, which connector to bounce, etc. >> Like the 2nd part of your script. well specifically it could >> reload only the SSLHostConfig affected by this new cert curl >> "https:/$JMXUSER:$JMXPASSWORD@localhost:${SERVICE_PORT}/manager/jmxpr oxy?invoke=Catalina:type=ProtocolHandler,port={CONNECTOR_PORT}&op=reload SslHostConfig&ps=${HOSTNAME}" Right, >> but the idea is that certbot has "plug-ins" and we'd need to supply a "tomcat" plug-in that did things like this. I'm not sure where the best place to keep configuration would be. Someone who understands certbot (or autobot, etc.) would be a better resource than m e. >> Or did you think about a bin/version.sh type script? That would >> get a +1 from me. What do you mean? >> What I don't like is, that one needs to add credentials in >> tomcat-users.xml and expose the manager-interface. You can use other authentication mechanisms... it's just that usually nobody bothers since it's easy to configure tomcat-users.xml. Exposing the manager interface is a bit of pain, but it can be scripted. Our deployments install a proper tomcat-users.xml file and enable the manager, locked-down to localhost connections. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4GZh8ACgkQHPApP6U8 pFjw8hAAqpsfbF/25K9A8l6ZFLoLrO+9C7z+86i1KLI/91VMylTxe/9Im8+Id/jG 4AOXOov5m8SvzBQIDnjnSbUrVAvZ9J36pzlH4FoAxDQoZY3DWmyGPPa7S56OKG0g Ha3rS5QziBjV9XbSuCL+6hbt4VBLVY0aRT9dvkDahiN42j2cczc2AOi1GxSf1WbY iIYO8c1yfJvF/4wo7lBE6WpLRJb3RVI9psRuDm/yaMGY/nBzzNbYvhgB+pM/m0dw Ls+w2HC6X8dq+0jV33FH1MdEY6yroH2gapclLcaeJ1yB2uke2cvGo0/vi3MdzOYK CndNSfQrXTeyawWcgj4DjQZy9koBeXfdDXC18cFOKLvceMmV6UG8jwSBSVDjhYml Ut9W7+GPYn8fBej9I/PaLRB3VAS47pRjY6MjA+AEMZxdowyOiNpc6E5snP4N+J9u s3wTL9gfPGIOrrIilSPD9eIIHGExZ5na3FxuVV1grGSOMAq8EoJRn9iCBjyrYwuF JsKXtvG2e91r/pvSL/zTDufoZysVvf4aUrgnxA9kY8lp+3O6+3U/5FTLWWtc7Fcj ljjb87yda57Zvb/KU95GBakDt8+3fbMMyhHeUAANWrSMPIN5astpacBdDRD5F1KH HNW5QTmxG56D0yaM3/pKPpoFBMqojtCen6MO8ZVkSN9Qv4H3NKo= =SHiE -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org