Re: Recognizing Certificate Updates

Mon, 28 Dec 2020 18:18:37 -0800 

Mladen,

On 12/26/20 13:25, Mladen Adamović wrote:

If you set up tomcat manager up, you can reload certificate with something
like
Stop Connector – curl http://localhost:8080/manager/jmxproxy?invoke=Catalina
%3Atype%3DConnector%2Cport%3D8443&op=stop
Start Connector – curl http://localhost:8080/manager/jmxproxy?invoke=Catalina
%3Atype%3DConnector%2Cport%3D8443&op=start
(source:
http://people.apache.org/~schultz/ApacheCon%20NA%202017/Let's%20Encrypt%20Apache%20Tomcat.pdf
  )

This is probably faster than reboot the whole tomcat, I haven't tried it.
It's very much faster than "rebooting" whether you mean rebooting the whole server or just restarting the Tomcat service. Not only that, but no in-flight requests or even those queued in the TCP/IP stack's backlog will be dropped. It really is a zero-downtime solution. 


This looks imperfect as hell.
What is imperfect about it? Sure, it's not 100% automatic, but at least it's possible. Even Apache httpd can't do what we are doing. 


Honestly, I thought that reloadAfterNDays param to server.xml would be
better, but admins didn't have an understanding on this topic.
Don't be a jerk. We understand it. We are just saying that we want it built in stages. If you want radical changes, you'll need to work on a server without a decades-long history of being stable and reliable. 

Thanks,
-chris


On Sat, Dec 26, 2020 at 6:49 PM Jerry Malcolm <techst...@malcolms.com>
wrote:


We have a production environment where we rarely reboot Tomcat.
LetsEncrypt auto-updates the certificates every couple of months. But
the new certificates are not loaded into Tomcat.  So when the original
expiration date of the certs arrives, users get "certificate expired"
even though new certs exist.  A simple reboot to load the new certs
fixes it.  But we want to avoid reboots.  Are there any config
parameters that tell TC to check for cert updates and reload the new
certs?  Thx


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org






---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to