Ivano,
On 8/4/21 18:22, Ivano Luberti wrote:
Hello, in order to improve management of our servers I would like to
implement the ability to timely reload Tomcat TLS configuration so to
make tomcat aware of renewed certificates
Do you want to do this from script or something else?
I have seen that in the manager web application I can reload TLS
configuration with the Re Read button in the Re-read TLS configuration
files section.
Reading documentation at
https://tomcat.apache.org/tomcat-8.5-doc/manager-howto.html#Reload_TLS_configuration
I have seen that it doesn't parse server.xml, so I guess this function
is not going to load new certificates if a SSLHostConfig is added to
server.xml . Right?
Correct. However, you can alter the runtime configuration and /then/
reload it, causing new certificates to be loaded, etc.
So my questions are:
1) has anyone tried to write something callable outside tomcat to induce
it to reload certificates starting form the code in
ManagerServlet.java.sslReload method?
You can call from the outside. Is there something you want to do that
you think can't be done with existing options? (I realize that part of
your question is asking about those options, so maybe we'll wait on this
question until later).
2) if no one is aware of such a try, I guess that the shortest path
would be to not reimplement the whole process but write a script that calls
http://localhost:8080/manager/text/sslReload?tlsHostName=name
Am I right ? Better suggestions?
Why not simply call
http://localhost:8080/manager/text/sslReload?tlsHostName=name directly
from script?
3) However If this is not going to load new certificates It would solve
only (a certainly big) part of my problem. Is there any suggestion or
starting point to implement also this feature?
You can invoke a reload using JMX, either by connecting using a JMX
client or by using my favorite: JMXProxyServlet.
You can read about the JMXProxyServlet here:
https://tomcat.apache.org/tomcat-8.5-doc/monitoring.html#Using_the_JMXProxyServlet
To reload the SSL configuration, you need to locate your ProtocolHandler
within JMX and invoke the reloadSslHostConfigs method on that object.
This presentation is a little terse, but it includes an example of how
to do this on slide 33:
https://people.apache.org/~schultz/ApacheCon%20NA%202019/Let's%20Encrypt%20Apache%20Tomcat.pdf
You can see the video of the most recent presentation of that material
on Tomcat's "presentations" page which may help put that into context a
little.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
