On 03/06/2025 16:29, Ivano Luberti wrote:
Because the contexts (webapps) in this instance can serve requests form
different domains.
https://domain1/context1
https://domain2/context2
So this is a host environment where you need to add and remove customers
each with their own domain?
If that is the case then you will need to code something yourself.
It shouldn't be too hard to code something like the
TLSCertificateReloadListener that watches a file and when it sees a
change parses the file for a list of domains and then adds/removes them
as necessary.
Mark
Il 03-Jun-25 15:27, Mark Thomas ha scritto:
Why do you need to add/remove a certificate?
Mark
On 03/06/2025 09:15, Ivano Luberti wrote:
Hi Mark, only problem to solve is to avoid restart upon adding/
removal of an SSL certificate.
Il 29-May-25 09:38, Mark Thomas ha scritto:
On 29/05/2025 07:59, Ivano Luberti wrote:
Thanks Chris, yes that's what I tried to explain from the
beginning, sorry I wasn't clear enough.
To summarize: there is no solution out of the box, I have to
develop something.
I will look into that.
Just out of interest, what problem are you trying to solve?
Depending on the problem, there may be other solutions.
Mark
Thanks everyone
Il 28-May-25 14:43, Christopher Schultz ha scritto:
Ivano,
On 5/28/25 4:17 AM, Ivano Luberti wrote:
Thanks for all the responses. I try to be more clear.
My server.xml configuration contains a few SSLHostConfig
configurations like this
<SSLHostConfig
hostName="host domain.it"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA">
<Certificate
certificateKeystoreFile="/etc/ssl/LetsEncrypt/host domain.it/
host domain.it.pfx"
certificateKeystorePassword="passwrod"
certificateKeystoreType="PKCS12"
/>
</SSLHostConfig>
after certificate renewal, reloadin the certificate is no concern.
But if I add (or remove) a new SSLHostConfig, tomcat needs to
be restarted in order to take into account the new configuration.
I would like to know if there is a way to configure tomcat so
avoid restart.
Even using a different way to configure tomcat outside of
server.xml using a different certificate format or whatever.
Okay, so you don't mean reconfiguring an existing SSLHostConfig.
You mean adding a new one (or removing an old one).
You should connect to Tomcat using JMX to see all of the remote-
management capabilities it has. You are able to use JMX to create
SSLHostConfig settings on the fly, reconfigure connectors, etc.
without restarting the JVM.
-chris
Il 28-May-25 09:49, Michael Osipov ha scritto:
On 2025/05/27 20:11:25 Ivano Luberti wrote:
Hi all, is there a way to configure tomcat in order to avoid
restart
when I change the list of ssl certificates?
I know and I do it, how to reload existing certificates, but I'm
searching a qay to avoid reloading when I add or remove a
certificate.
I'm using Tomcat 9 , but looking for solution also in tomcat 10
or 11.
RTFM:https://tomcat.apache.org/tomcat-11.0-doc/api/org/apache/
catalina/security/TLSCertificateReloadListener.html?
Works for me very well.
---------------------------------------------------------------------
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
