tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Connector difference explanation request - two ways of getting SSL in server.xml
Date Mon, 24 Jun 2019 06:32:18 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Richard,

On 6/22/19 17:19, Richard Huntrods wrote:
> Apologies if this is really basic, but I've seen two ways of
> handling https (SSL) for tomcat and don't understand the
> differences.
> 
> The first example uses letsencrypt cert files 'in situ' (i.e. where
> they have been created). The second example uses the same files,
> but converted by a manual shell script into a single .keystore
> file, stored in ./tomcat/keys
> 
> The thing I really don't understand is the different protocols
> used.
> 
> Fair warning: the second example is something I've been using for
> a while, so it may be out of fashion even though it works. The
> first example is "brand new" that I got online and want to use
> mainly because it removes the manual conversion step from cert to
> .keystore.
> 
> <Connector port="443"
> protocol="org.apache.coyote.http11.Http11NioProtocol" 
> maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate 
> certificateFile="/etc/letsencrypt/live/mydomain.com/cert.pem" 
> certificateKeyFile="/etc/letsencrypt/live/mydomain.com/privkey.pem"
>
> 
certificateChainFile="/etc/letsencrypt/live/mydomain.com/chain.pem" />
> </SSLHostConfig>> </Connector>

The above style of configuration is preferred in Tomcat 8.5 and later.
for the reasons Giuseppe wrote in his post.

WARNING: you are referencing the files created by tools like certbot.
certbot places those files into a series of directories only
accessible by root. You are either making them available to a wider
audience (in which case you should just think whether that is a good
idea, or if your setup will be broken if/when certbot runs again and
"repairs" its directories) or you are running Tomcat as root. Both of
these are probably not a good idea.

Definitely don't run as root.

I might consider having your certbot wrapper copy the specific files
you need somewhere Tomcat can read them after they are re-generated by
certbot. That way, Tomcat can only access the files it actually needs
instead of having access to the whole LE directory.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl0QbnEACgkQHPApP6U8
pFjlgA//ZDacvsKWgnMhbxgqxX4uM4Kxao+6rGkS7V7zNrL060GdbicyA8Fpt2Cg
LxOyGprMLuWQ3RFoPVGrRefzpV9G6wzBadbQGWB/66o+bo6+/FgcLlNcRKwRohNa
RDwyrw4NlkWPzeJli4BeZhsfxIkq0HI4jl7JIRYJxoyESE/Hi5UqPMkDxkIDitWZ
rWvqwJjALcNzcFRJ09ptTJAL9x06x+kosO1ioFzPOgagvFyZ9wRiZ0RkdK0hBExC
MIG3jBAt6a5xEH3WeGUqE3cbiAbP+U3Mn9iSXl23JyjVPXWlySXULj8TM7YZvNb8
4mCQAEhLZHMKc611upuQiIvlAk2tfv7P0FvGgOvgZILiWKAanr5aYDWIBva5jfek
/wfMLOJvdDgNrC87ltKlXsIfpgzT6LKdMrEQOOaE/x/E7IIJJgtOxC/qaWt++LWY
sYsgYsmlqlndLeMqpht+aexmImUP2GQoZJMmj+NSoCZg6I+II3Hi1b5nnQfRQu+e
sxXT0DMRcWxpEhOGRq8qxA5RcmGkgM6FcXKCkkQn3yLFxDdMC+hDycFTVxZSYolL
/jSJvZkvw5ohUfvqRAElcPaS26yMSYTiRiqjq0tY6Oq+SwP47SPtgzYZYMC1FJul
LlI1ivhWiSkkrEQQTUeUX0r7soop99tDy9moQV/T90aupCPDOpU=
=ES8m
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message