Re: Support for LetsEncrypt certs, and update process, in Tomcat without restart.

Mon, 13 Jul 2020 03:39:14 -0700 

On 13/07/2020 11:09, Merlin Beedell wrote:

<snip/>

> If the connector section in server.xml is edited to point to a new
> certificate path/filename, it is ignored.  The current certificate
> config continues to be used.

As expected. server.xml is only read on Tomcat start. Changes made after
that point will not take effect until the next Tomcat restart.

> If the certificate file is replaced by a new certificate, the end-user
> does not see any change – a fresh browser will still see the old
> certificate.

That isn't the behaviour I would expect.

> So: Is there some /other/ action that I need to invoke after the
> reloadSslHostConfigs?

No.

>  Or to invoke it under a different “mbean name”?

No.

> When I change the bean name to include *address=127.0.0.1* as per your
> curl example (Catalina:type=ProtocolHandler,port=443,address=127.0.0.1)
> it errors.

Exact bean names will depend on server configuration.

> The connector config (simple self-signed cert in this case – not yet
> changed to a letsencrypt one) looks similar to this:
> 
>     <Connector SSLEnabled="true" maxThreads="150" port="443"
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation">
> 
>         <UpgradeProtocol
> className="org.apache.coyote.http2.Http2Protocol"></UpgradeProtocol>
> 
>         <SSLHostConfig certificateVerification="false"
> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA"
> honorCipherOrder="true" protocols="TLSv1.3,TLSv1.2">
> 
>             <Certificate certificateKeyAlias="tomcat"
> certificateKeystoreFile="C:\opt\certificates\keystore"
> certificateKeystorePassword="passphrase"
> certificateKeystoreType="JKS"></Certificate>
> 
>         </SSLHostConfig>
> 
>     </Connector>
> 
>  
> 
> And I am trying to reset it to a PKCS12 keystore:
> 
>             <Certificate
> certificateKeystoreFile="C:\opt\certificates\web_cert.pfx"
> certificateKeystorePassword="newpass"
> certificateKeystoreType="PKCS12"></Certificate>

To do that while Tomcat is running you'd need to change the Certificate
attributes to the new values (via JMX) and then call reloadSslHostConfigs.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to