Re: adding new SSL certificate without restarting tomcat

Tue, 03 Jun 2025 08:29:42 -0700

Because the contexts (webapps) in this instance can serve requests form different domains. 

https://domain1/context1

https://domain2/context2


Il 03-Jun-25 15:27, Mark Thomas ha scritto:

Why do you need to add/remove a certificate?

Mark


On 03/06/2025 09:15, Ivano Luberti wrote:
Hi Mark, only problem to solve is to avoid restart upon adding/removal of an SSL certificate. 



Il 29-May-25 09:38, Mark Thomas ha scritto:

On 29/05/2025 07:59, Ivano Luberti wrote:
Thanks Chris, yes that's what I tried to explain from the beginning, sorry I wasn't clear enough.
To summarize: there is no solution out of the box, I have to develop something. 

I will look into that.
Just out of interest, what problem are you trying to solve? Depending on the problem, there may be other solutions. 

Mark



Thanks everyone

Il 28-May-25 14:43, Christopher Schultz ha scritto:

Ivano,

On 5/28/25 4:17 AM, Ivano Luberti wrote:

Thanks for all the responses. I try to be more clear.
My server.xml configuration contains a few SSLHostConfig configurations like this 



<SSLHostConfig

hostName="host domain.it"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA"> 

<Certificate
certificateKeystoreFile="/etc/ssl/LetsEncrypt/host domain.it/host domain.it.pfx" 

certificateKeystorePassword="passwrod"

certificateKeystoreType="PKCS12"

/>

</SSLHostConfig>



after certificate renewal, reloadin the certificate is no concern.
But if I add (or remove)  a new SSLHostConfig,  tomcat needs to be restarted in order to take into account the new configuration.
I would like to know if there is a way to configure tomcat so avoid restart.
Even using a different way to configure tomcat outside of server.xml using a different certificate format or whatever.
Okay, so you don't mean reconfiguring an existing SSLHostConfig. You mean adding a new one (or removing an old one).
You should connect to Tomcat using JMX to see all of the remote- management capabilities it has. You are able to use JMX to create SSLHostConfig settings on the fly, reconfigure connectors, etc. without restarting the JVM. 

-chris


Il 28-May-25 09:49, Michael Osipov ha scritto:

On 2025/05/27 20:11:25 Ivano Luberti wrote:
Hi all, is there a way to configure tomcat in order to avoid restart 
when I change the list of ssl certificates?

I know and I do it, how to reload existing certificates, but I'm
searching a qay to avoid reloading when I add or remove a certificate.
I'm using Tomcat 9 , but looking for solution also in tomcat 10 or 11.
RTFM:https://tomcat.apache.org/tomcat-11.0-doc/api/org/apache/ catalina/security/TLSCertificateReloadListener.html? 

Works for me very well.
--------------------------------------------------------------------- 
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


--

Archimede Informatica tratta i dati personali in conformità a quanto
stabilito dal Regolamento UE n. 2016/679 (GDPR) e dal D. Lgs. 30 giugno 2003 n. 196 
per come modificato dal D.Lgs. 10 agosto 2018 n. 101.
Informativa completa <http://www.archicoop.it/fileadmin/pdf/InformativaTrattamentoDatiPersonali.pdf>
Il contenuto di questo messaggio e dei suoi eventuali allegati è riservato. Nel caso in cui Lei non sia il destinatario, La preghiamo di contattare telefonicamente o via e-mail il mittente ai recapiti sopra indicati e di cancellare il messaggio e gli eventuali allegati dal Suo sistema senza farne copia o diffonderli. Le opinioni espresse sono quelle dell'autore e non rappresentano necessariamente quelle della Società. This message and any attachment are confidential.If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system. If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person. Any opinions presented are solely those of the author and do not necessarily represent those of the Company. 

dott. Ivano Mario Luberti

Archimede Informatica società cooperativa a r. l.
Via Gereschi 36, 56127 Pisa

tel.: +39 050/580959

web: www.archicoop.it
linkedin: www.linkedin.com/in/ivanoluberti
facebook: www.facebook.com/archimedeinformaticapisa/

Reply via email to