Re: feature request: reload SSL certificate automatically after X days (configuration option)

Sat, 19 Dec 2020 05:29:30 -0800 

Mladen,

On 12/19/20 05:12, Mladen Adamović wrote:

Hi guys,

*Shortly*: Tomcat should have either Connector or SSLHostConfig option to
automatically reload certificate from the same file after X days, i.e.
reloadAfterDays=10 to force Tomcat to reload the certificate automatically
after 10 days.
Why not use cron? You can do this with a single "curl" command and the Manager+JMXProxyServlet. 


*Long*:
SSL certificates have a period of expiration and in the case of
Letsencrypt, it's set to 3 months as they think everyone should have the
renewal mechanism automatically.

As the Letsencrypt is the most popular SSL issuing authority (source:
https://trends.builtwith.com/ssl/LetsEncrypt ), I think Tomcat should have
an integration with Letsencrypt working flawlessly.

We are currently using the script to renew the certificate (I can share our
integration details with whoever is interested, please email me if you are
interested), but it's restarting Tomcat.

As Tomcat shall not be restarted ever (ideally), I think Tomcat should have
an option to reload certificate, without a dependency to Tomcat source code
and "hacks" like some available on StackOverflow:
https://stackoverflow.com/questions/5816239/how-do-i-force-tomcat-to-reload-trusted-certificates).
Those hacks are no good as:
1) code to reload certificate should not run inside Java code, as
letsencrypt is invoked through Linux
2) each application uses that Stackoverflow hack have additional compile
and run dependency set to Tomcat (which is very bad).

I have a proposal on how this should be fixed: Tomcat should have a
server.xml options something like certificateReloadAfterDays or
reloadAfterDays

I see this is moved to SSLHostConfig, we are still using old params.

Do you agree on this feature?

If so... I'm not lazy to try to do it myself, but as I haven't ever written
Tomcat code neither know procedures (I have been coding professionally
since 2006, but I never committed to Maven or Git project before, lol), is
there someone else who is keen on doing this feature?


Have a look at this:
http://tomcat.apache.org/presentations.html#latest-lets-encrypt

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to