Hi guys, *Shortly*: Tomcat should have either Connector or SSLHostConfig option to automatically reload certificate from the same file after X days, i.e. reloadAfterDays=10 to force Tomcat to reload the certificate automatically after 10 days.
*Long*: SSL certificates have a period of expiration and in the case of Letsencrypt, it's set to 3 months as they think everyone should have the renewal mechanism automatically. As the Letsencrypt is the most popular SSL issuing authority (source: https://trends.builtwith.com/ssl/LetsEncrypt ), I think Tomcat should have an integration with Letsencrypt working flawlessly. We are currently using the script to renew the certificate (I can share our integration details with whoever is interested, please email me if you are interested), but it's restarting Tomcat. As Tomcat shall not be restarted ever (ideally), I think Tomcat should have an option to reload certificate, without a dependency to Tomcat source code and "hacks" like some available on StackOverflow: https://stackoverflow.com/questions/5816239/how-do-i-force-tomcat-to-reload-trusted-certificates). Those hacks are no good as: 1) code to reload certificate should not run inside Java code, as letsencrypt is invoked through Linux 2) each application uses that Stackoverflow hack have additional compile and run dependency set to Tomcat (which is very bad). I have a proposal on how this should be fixed: Tomcat should have a server.xml options something like certificateReloadAfterDays or reloadAfterDays I see this is moved to SSLHostConfig, we are still using old params. Do you agree on this feature? If so... I'm not lazy to try to do it myself, but as I haven't ever written Tomcat code neither know procedures (I have been coding professionally since 2006, but I never committed to Maven or Git project before, lol), is there someone else who is keen on doing this feature?
