From dev-return-191757-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Wed Jun 27 18:21:46 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 282D0180625 for ; Wed, 27 Jun 2018 18:21:45 +0200 (CEST) Received: (qmail 54608 invoked by uid 500); 27 Jun 2018 16:21:45 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 54597 invoked by uid 99); 27 Jun 2018 16:21:45 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Jun 2018 16:21:44 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 92BA9C00B1 for ; Wed, 27 Jun 2018 16:21:44 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.999 X-Spam-Level: X-Spam-Status: No, score=0.999 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id XsxmvXOb00VR for ; Wed, 27 Jun 2018 16:21:42 +0000 (UTC) Received: from mailbox.servedge.com (li1281-212.members.linode.com [45.79.182.212]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 128275F366 for ; Wed, 27 Jun 2018 16:21:41 +0000 (UTC) Received: (qmail 14942 invoked by uid 513); 27 Jun 2018 11:21:35 -0500 Received: from pool-74-96-225-21.washdc.fios.verizon.net (HELO Christophers-iMac.local) (chris@christopherschultz.net@74.96.225.21) by mailbox.servedge.com with ECDHE-RSA-AES128-GCM-SHA256 encrypted SMTP; 27 Jun 2018 11:21:35 -0500 Subject: Re: Dynamic reloading of SSL certificates To: dev@tomcat.apache.org References: <495ee43f-f825-71c3-a85a-70e889ae4764@apache.org> <792b9dfa-ca0e-9644-583e-3254ddf835e4@apache.org> <8fe9ab8b-6653-5832-3fe9-d70daa660e10@christopherschultz.net> <99bffcd7-d2b0-9393-5043-a86b92e1d8df@apache.org> From: Christopher Schultz Openpgp: preference=signencrypt Autocrypt: addr=chris@christopherschultz.net; prefer-encrypt=mutual; keydata= xsFNBE+pgz4BEADd7qAWgqXcNltlB3aow0UneRmNSVjHKgekgs0ZXxG9l50Athksr/3bL/yg bxFB00JcM9W+UxLhKHiMSyzfeBHn9l9wAlLFKs0S91KXTUnRwGFtvgstvGROoqPgTVREklnm yW/KpzOwqSrQ5xHcogaT+XWlXmRbtFypi52Z5HGWlFWWgwx0vKBWHmQayPtCif0v1RDxfdV9 zziodn0TnpfBQsEgf9TDAjkNT8f0ecwTnhSihTDm1W5HCK7Pm5DfUtree1Oh6Ncz2ljlUO0b 3Lai9pX48eZOj7WQXPefkcv2AoUvdELkQKw3klM5YNXbXPf1KAjky+q4DQ1ydD6LkK+9cI3S TeMesTlk/tytOsaN2NH2k87sEpcumbH0AcmPFEnIYUfm4KzWdKlYA6mbV3Pk3tHSuayyJovj h/7Y7BG9p2l7D60r49hzrTPG8VxNkSliNLcSjI3QjYpfhSlqmqXyVKzdzirK1HPr1xfJStig RpLP9nWarZjoXng9N0etGwtH/8roeDPYA8x9ba1KXy/1g/i+RLx2ms+rueCpnFZxU3GZNUSp RfpdUbwCN3Zm1w5Z6SI8X2aSnWWeYzU6HMsV+P4PROnFsgxDeOpyWhyEaaVLXQtOYwcHneHb n56vSG50TkAuHs5kk/3/YDPSsqjsUPOuhKgFMh3iqMTh5DMdSwARAQABzTJDaHJpc3RvcGhl ciBTY2h1bHR6IDxjaHJpc0BjaHJpc3RvcGhlcnNjaHVsdHoubmV0PsLBegQTAQgAJAIbLwUL CQgHAwUVCgkICwUWAgMBAAIeAQIXgAUCT6mETgIZAQAKCRDzrVyUpn9wflkxD/9IsahRqHTV /hH5nuPqVO692cQqHvPtMPO6lDb4909VN5T1i+1hFr80P0KVDL6EI78lDBJ2TThWI0o5vFdm sRlei59wsgTvkKTph5QwwOWl7OyzUDX3WbKhkNQdGf4I+/g/1s2bHaRoG30ELdL7cwUPCPrW 0KQwBy7Rtr0WbdujKOw9b/UcgyXEOE1wNcorq/E1o5/6BRYIcFQOO4sjHjGcChOpSg5ms4zb s+Xv3gOtLrbmOPRTXdvBxwJA6kkfQFHvI42kXYghTdqhBVPnHYPqUeavRsb+Yz3ghkZhj35i GfaGyXNwFBikCYjzIaj44NOkT1pU50MgIbjSJ+xoHnC20T942kekqp6wzqUM19Pa9ohsEdA1 Sf6/A7RmpZRrxSIY02ZVnGccnVjglnylVcnxrNAZC3ebxCeZPQ09FBR0Uqlsrdt7A3hlEP2F aoMTSa+hYqfWBGB7uZhcJZIsZspxm8J0txeOzYNSFDl7mF134ShRsq6dpSugCdcdeSWKliBz q0U8sIabOFLMxM0hbwkn2RG4OaurJLWXQf+7IhA/J8TizjkbdxLmR2PiTiVtrx484mpWpbF8 po/em0q/reFnL+JtOM6qlJE/Q4B6PfkchhU5vKPfmGw98t9guyw5G8YSR1rR+SOowHg4T/i2 Rezz1idKmoFpPdNFRPlOAC+d687BTQRPqYM+ARAAzEItVpzvcgZB+faUWi54lJoA8GnVxXEe OQY+7wk/P5i9GtL0UVXC53j2F87BDVXGalKgVjEVdNY3Cyx+dJ2os65gjxd6ZK18zc6N7YZB Z00XNU9nTz5XImZzHn4VmeXYMQrKO/981nCNPlV6CVdgGg9wl1Ij5Sh8SSTb8kWSo1ngx+XX 4yJNUbfSh32yMPVGI7ZcoZLm9gdgTOOnuEkeeGs/lPvYN+1Cv/YtvkPybSOSWSdHxIVU4Iko 6V7IkM1amjdwKfoeg+CLhZsbY7VLAzVtGvaF5z4rtJtCfTfhbYD0wS8afEBcvsew1HdtYDT5 AJqojeZBGDuY7JCgALc3HCy34Zzk+mi1qwvrm5i/CBMuIvjxB2MkzhHQNUD20fzdRcoIgw4J IzbqZLlOpVFehDXzKT/h5vh+Uv7s6Rz5gP5i0Rkcghw00mRBvuN8mpQnLt4hYL22cNh/tk0L Fxda7ZaPehu7ug4E5FEB0Ifm1KV18P7Kpfu8tiSLz7rl++x73o4uv4bk1ZnjO/jFsx0KLGwq VxR276ZIwsV4WpLYvJ5fR0kqqd/TOKXGSEA0eGxWTeb/fNtkYemRVoasB1+rqjh/Rz0p20o8 elkqDhpzzhrMNzEMYkLySu7npWCeWW4Nd6097+OG9BCLO+ndGmAcupdu6WMEj2UlWsQxuCYC PgsAEQEAAcLDfgQYAQgACQUCT6mDPgIbLgIpCRDzrVyUpn9wfsFdIAQZAQgABgUCT6mDPgAK CRAc8Ck/pTykWO6WD/0XlAG4D4GwzzuOfh7DG6cm/I0vmASEJkY5ghStW4GUbYosgS/btyj/ YPWzVh4HWMvuA6YYKCuz/CM3h34dR25XmHqUdOyJOCnMJ3psdv5YsytgnEdvINZALlDdBX3G sfytgS0KnVjAc92LfJOxHAsZf4zE3SU28FMX7jCgeqO3YrvkHsZ8dzzgw3QYT0J3NcYfkflb DPBXBDGrvdUuea/w6F17pctdRdt7jE3JiLFq2F9ehXOSsIwecUlqVYiCRuxblD4cJ6gKMn0y 8zllW4GyIbf/+mNLkpKoMPYnptDvcEojluHtwbkSfF5AwgJbm6pfs9a2vpGBVko+dBXGh4/T 3qNYxeGEAsI0psEJu3EZN9dYv/ZOb69DUJ6SwEKp/L7lU7C8HoLx/MpKtuJO9OS5uuAhdBSi GqfaN9zP2NxPXSwnexVK2exy/h5sUevDsnBEHmyxe5GRSrIilyijLtlYhq2W7G95poxIFZuL Db98R+7VR9Yl9uOZ6kRBJmzp9X2oB8MDHoKe4QEuiRx/5/DNxB8i2QoTWN/BfluTSfVpO5rf jSXlaUuFOnouBrWdmbaBdg+47m4IGEz129Zdf+y+ISexQ6P16ZY1oYxYlbQSaEwk0+TJ4B0C uvMHwPF3SDH2LeRx+mK2OvwnVulvj2+WdW/rIVgwhwbKmBLj40R+Uq4zD/4iRxJ5PF1ynjxR po3Izp/ZrYWrPgtBg0jUZ8DdlAiRHCFGPpccK8RvBWXmtzF4XQsV39aPBqcE3W6IcTnIMrDi 6mnqealpfiUq+4RGNfRFN9wtgViZLy/FRWi76k+vo/Jmp7/K9JblGX48D2JL9FX0w5PXkpE4 abmY1OASQUiwoJ4n1asxwEonSaWeYbI7X5IqdvevGyfYdSn4VEywdrYGtWjsWlZ/DPofPwsI bQXGY6o+wg9lDAk2L2nVTa05XuyOooUPwKLD0WrLOIxLmcbVv/tgJG03/uI4iDitSofTKnpz E+xdpfFIyw1Mb8PO4WJi0gpHmmLUbG8AMLS+8wSDFwIA4TXQFy9suXXzLuuzML+G5h9Mo5D6 q5HsIe59lhdwk7oEPZJ1NWLfLavTENQg5ObS2YT1KaFskFxxgtcU0aBytAxTjkgGRB8UunXl NJeCuTIAUxXw41P93V4Khigc5dEOG1kEDoq0dAlAE7AbL6Vzc/Go+UwivtUil3sXADOyM9PT JjLNnye+2V0ywQncJ1AG6sxICpPKzv8oYP6xwurEuKnF8DAWEHEwT+Fb277Idv1v8uMGvltp coe7olE0O+TRUtMEwtEp4g4m8ym1rJI/yfwXtHkS8QcVBA9LRqcWEna1VPlT1pk3BSq/1xQa F/4OLScBfV2JbF93sN0SLw== Message-ID: <82813f24-aa68-f403-8220-9c0c599e7c9e@christopherschultz.net> Date: Wed, 27 Jun 2018 12:21:34 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Romain, On 6/27/18 11:50 AM, Romain Manni-Bucau wrote: > up? any hope we have live reloading of certs in tomcat? Yup. Recent versions allow you to reload the SSLHostConfigs. I was getting ready to update my presentation on Let's Encrypt, actually, so this was a good nudge to actually do that. I thought the operation would be exposed via JMX, but it does not appear to be so. It's in the Manager application. Have a look at what ManagerServlet.sslReload() does. markt, any objection to taking this code and putting it into the Connector under the public method reloadSSLHostConfig to make it (a) accessible via JMX and (b) easy to access? We have several options when it comes to JMX operations: 1. Connector 2. ProcotolHandler 3. SSLHostConfig #3 doesn't make much sense, since SSLHostConfigs are the ones that were loaded, and presumably will be replaced when a "reload" happens. #2 would work fine, except that: a. Everyone will look on the Connector first and b. The ProtocolHandler doesn't know if SSLEnabled=true on the connector So I think this is best-done on the Connector. Any comments or suggestions? - -chris > > Romain Manni-Bucau @rmannibucau | > Blog | Old Blog > | Github > | LinkedIn > | Book > > > > > Le mar. 2 janv. 2018 à 17:00, Romain Manni-Bucau > a écrit : > >> Yes, if tomcat can supports hot reloading of certs it is very >> feasible: >> https://github.com/rmannibucau/letsencrypt-manager/blob/master/src/ma in/java/com/github/rmannibucau/letsencrypt/manager/LetsEncryptManager.ja va >> >> >> >> Romain Manni-Bucau >> @rmannibucau | Blog >> | Old Blog >> | Github >> | LinkedIn >> >> >> 2018-01-02 16:56 GMT+01:00 Emmanuel Bourg : >> >>> Le 02/01/2018 à 09:40, Romain Manni-Bucau a écrit : >>>> up? >>> >>> I haven't got much time to look into this yet. However since >>> Let's Encrypt client implementations in Java are starting to >>> appear [1] I wonder if the certificate renewal process could be >>> directly integrated into Tomcat instead of relying on an >>> external client such as certbot. >>> >>> Emmanuel Bourg >>> >>> [1] https://github.com/shred/acme4j >>> >> >> > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlszuY4ACgkQHPApP6U8 pFgxRA//Zsf+/zHUtTx1bVLFtJM7pYSHbdxepQRTCnEN4IS5dAeBSx7zI7w/OSV/ Dt3Fd8dglDrimoYNEt4EWCAo0HNJjJkEsW9UbJPx0riyHQjqW4/wrSFFoWyDLmUg IEalbxZ++9MYlIcRAVwJRQ4lfze9g+e1CmkEyN3j3CZuq7mQp+5U9EEX8QkuI3Ig cRZfjztWST6Nsec88Y08w7VE+HYvTDQGG/0rzaeeJrQJ7zANxy2YtyBujzCTV3LK 2wzOMrc63X4VMGISwbimhFWRwfzwkwYmUZXOhCa0OW5/Ob56x/LVYtlRykfQAYbT xTIyaY+hc3cdbbDNEWymef6FbILbA7lOUOy0qhH2Aiv47gPCTIYyvDkYPr+tjoYo 5F+gqfTmy3qfBOBbRpcWcC9ySu5CdGvwP9YIMY8Q6ko8y/ySw26CK2XQH8Nm4yca os0zhOu2GzI0P202yGVavoSjLYsdJxDHCIcIRLowbCVBnp6bY1kL/dgGtyQoC7oi K9Yoz9LmjDJC+DkLSidZEugyGRCihI5fEAH9f1ftSDoCjMeYUMJ5dcOeiU2Vu5Ix CyYmiIgIDeWOitJJOOV38ogdGo8pGWJvFWymOt41BROtiS7OOTnURcc3Nx65C5mE odkio+xWznTt09a4Fb4cE9s1CoUIZ79ZkjFf2L4PY+xc27T5xvs= =8dT7 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org