https://github.com/AtomGraph/letsencrypt-tomcat
On Sun, Oct 4, 2020 at 8:04 PM Garret Wilson <gar...@globalmentor.com> wrote: > > Hi, everyone. I'm back already. (I had intended to leave the list to > focus my efforts elsewhere, but … here I am again.) > > I just realized there is a big SSL problem for small applications, and I > want to fix it. First a little review of where we are. > > Servlet containers are becoming less important and less desirable in > today's world, because we don't want to deploy and maintain some sort of > high-level container infrastructure (in the Java EE container sense, not > the Docker sense) just to deploy an application in it. Modern > distributed micrososervice applications have a bunch of > service/worker/agent application that are identical and redundant. You > spin up as many as you need; if some go down, you (or an orchestrator) > spins up others. > > For this reason libraries like Spring Boot allow you to deploy your Java > application as a standalone JAR with embedded Tomcat. The JAR represents > the completely independent application. You just throw it on a node and > it runs and provides a web server or whatever. So we we should be able > to throw a Spring Boot JAR on something like AWS Elastic Beanstalk and > it just runs. I found out it is far from that simple, and SSL is one of > the major problems. > > There seem to be two ways to get SSL support. On something like AWS > Elastic Beanstalk, you deploy a load balancer in front of your EC > instances. Elastic Beanstalk will (using the AWS Route 53 DNS) configure > SSL to the load balancer, spin up EC instances as needed (each running > your standalone JAR), and connect the load balancer to the EC instances, > all in a (sort of) automated fashion. But note that the SSL endpoint is > the load balancer, and the load balancer costs money! Even if you're > just running just a single standalone JAR instance requiring a single EC > instance, that load balancer sits there and drains cash. Significant > cash if you just want to run a little program with SSL support. > > What's the other option to deploy a standalone JAR? Configure an AWS EC > instance (or a VM with another provider), configure certbot, configure > Tomcat, save some files locally on the machine, etc. All this manual > work. I just want to run the standalone JAR! In short, if I have a > standalone program I want to run, I either have to configure and > maintain a VM like I did in the year 2000, or get into the nightmare of > Kubernetes-like orchestration with the endless configurations and/or the > high costs. > > I propose to create a module that integrates with embedded Tomcat that: > > 1. You indicate what domain you're hosting for (as part of the > application configuration or as an environment variable when > deployed, for example). > 2. When your application starts running, it automatically connects to > Let's Encrypt using RFC 8555 (or whatever is needed) and requests a > certificate, based upon the IP address it's running on. > 3. The module exposes the correct HTTP paths and/or connects to a > configured DNS as needed for validation. > 4. The module receives the certificates and caches them in memory or in > a temporary file as needed and provides them to Tomcat; Tomcat now > is serving using SSL/TLS. > 5. If the application dies, who cares? You start up another one. It > automatically does the same thing (on another machine or wherever it > is running) and the application is running SSL/TLS. It's that > simple. You don't need to run certbot. You don't need to manually > copy files on the system. You don't even need to know where the > application is going to run. You just need an executable JAR with > this new module, and you run it. Done. > 6. (Many variations exists where multiple JARs are running but one is > the "leader" for Let's Encrypt, and they communicate and share the > cashed certificate until the node dies. Or there are variations > using Docker. The first step is the radical one, and then all sorts > of possibilities open up.) > > From glancing over the Let's Encrypt docs and having had hands-on > experience embedding Tomcat, that seems completely doable to me. And I'm > ready to start. > > But first, what work has been done in this area already? I'm aware of > Chris' slides from 2018, but those techniques require some combination > of certbot, keytool, non-embedded Tomcat, symlinks,OS scripts, manually > file system manipulation, etc. I think at ApacheCon 2019 Chris mentioned > some more work has been done on this, but I don't recall where it was. > > Please point me to the latest work and ideas for Tomcat+Let's Encrypt so > that I don't spend two months doing something that is already been done, > or before I find out it is impossible. > > As it stands I want fully automated SSL/TLS configuration just by > running a standalone JAR, and I don't see that existing anywhere. I'm > not prepared to pay AWS for a load balancer just to run a little app, > and I got tired of manual Linux setup and scripts and general sysadmin > work around 20 years ago. It's the cloud. It should act like the cloud. > > Garret > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
