On Sat, Dec 19, 2020 at 2:29 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Why not use cron? You can do this with a single "curl" command and the
> Manager+JMXProxyServlet.
>
We are not using Tomcat manager app.
Why someone should be forced to use Manager, to read/setup the
documentation regarding JMXProxyServlet, create an additional
servlet (where does it have dependency on?) only to reload automatically
certificates?
I'm proposing a solution with the simple SSLHostConfig parameter. It's a
user friendly. Simple, intuitive.
No need for using manager, no need to create a specific servlet somewhere
in your code. Just a single server.xml argument.
Also, *another idea*, I'm contributing this code (see below) we are using
for Letsencrypt ACME challenge.
Tomcat could also have an option, i.e. in web.xml to automatically support
Letsencrypt ACME challenge.
Idea for web.xml
<servlet>
<servlet-name>Letsencrypt-acme</servlet-name>
<servlet-class>org.apache.catalina.servlets.LetsencryptAcmeChallenge</servlet-class>
<init-param>
etc.
</servlet>
We are using
@WebServlet(name = "LetsencryptAcmeChallenge", urlPatterns =
{"/.well-known/acme-challenge/*"})
public class LetsencryptAcmeChallenge extends HttpServlet {
/**
* Processes requests for both HTTP <code>GET</code> and
<code>POST</code> methods.
*
* @param request servlet request
* @param response servlet response
* @throws ServletException if a servlet-specific error occurs
* @throws IOException if an I/O error occurs
*/
protected void processRequest(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
String requestUrl = request.getRequestURL().toString();
if (requestUrl.contains(".well-known/acme-challenge/")) {
int indexFilename = requestUrl.lastIndexOf("/") + 1;
boolean wasError = true;
if (indexFilename > 0 && indexFilename < requestUrl.length()) {
String filename = requestUrl.substring(indexFilename);
File existingFile = new
File("/tmp/letsencrypt/public_html/.well-known/acme-challenge/" +
filename);
if (existingFile.exists()) {
response.setContentType("text/plain");
OutputStream out = response.getOutputStream();
FileInputStream in = new FileInputStream(existingFile);
FilesOperations.inputStreamToOutputStream(in, out);
wasError = false;
}
}
if (wasError) {
throw new ServletException("invalid requestUrl " + requestUrl);
}
}
from FilesOperations:
public static void inputStreamToOutputStream(InputStream in,
OutputStream out) throws IOException {
try {
byte[ ] buf = new byte[32 * 1024]; // 32K buffer
int bytesRead;
while ((bytesRead = in.read(buf)) != -1) {
out.write(buf, 0, bytesRead);
}
} finally {
if (in != null) {
in.close();
out.close();
}
}
}
> > *Long*:
> > SSL certificates have a period of expiration and in the case of
> > Letsencrypt, it's set to 3 months as they think everyone should have the
> > renewal mechanism automatically.
> >
> > As the Letsencrypt is the most popular SSL issuing authority (source:
> > https://trends.builtwith.com/ssl/LetsEncrypt ), I think Tomcat should
> have
> > an integration with Letsencrypt working flawlessly.
> >
> > We are currently using the script to renew the certificate (I can share
> our
> > integration details with whoever is interested, please email me if you
> are
> > interested), but it's restarting Tomcat.
> >
> > As Tomcat shall not be restarted ever (ideally), I think Tomcat should
> have
> > an option to reload certificate, without a dependency to Tomcat source
> code
> > and "hacks" like some available on StackOverflow:
> >
> https://stackoverflow.com/questions/5816239/how-do-i-force-tomcat-to-reload-trusted-certificates
> ).
> > Those hacks are no good as:
> > 1) code to reload certificate should not run inside Java code, as
> > letsencrypt is invoked through Linux
> > 2) each application uses that Stackoverflow hack have additional compile
> > and run dependency set to Tomcat (which is very bad).
> >
> > I have a proposal on how this should be fixed: Tomcat should have a
> > server.xml options something like certificateReloadAfterDays or
> > reloadAfterDays
> >
> > I see this is moved to SSLHostConfig, we are still using old params.
> >
> > Do you agree on this feature?
> >
> > If so... I'm not lazy to try to do it myself, but as I haven't ever
> written
> > Tomcat code neither know procedures (I have been coding professionally
> > since 2006, but I never committed to Maven or Git project before, lol),
> is
> > there someone else who is keen on doing this feature?
>
> Have a look at this:
> http://tomcat.apache.org/presentations.html#latest-lets-encrypt
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>
