On Sat, Dec 19, 2020 at 5:06 PM Romain Manni-Bucau <rmannibu...@gmail.com> wrote:
> Code can likely be simplified but high level it is just about enabling > letsencrypt http dance thanks a valve and reloading the cert on update. > > Note that acme client is easy to recode to avoid any licensing work so it > vould be a tomcat-letsencrypt module easily IMHO. > Thinking more about this problem... instead of this reload SSL configuration feature, we need fully integrated support for Letsencrypt. On a side note, Tomcat might be lacking a command line manager utility, having manager running on a port sounds... like we are people who avoid a command line, no? Although I managed my own way of integration, and wrote my own ACME client, I don't know yet what Tomcat needs to do to be fully Letsencrypt integrated. Are there someone currently working on easy letsencrypt integration? If not, Romain (or others who are reading this thread), are there existing devs who want to do it? I'm ready to join, if someone wants the assistance, but it would probably be helpful not to duplicate efforts. The question to project maintainers: would be interested in reviewing that code for inclusion in the codebase? (I'm not sure yet how it goes, I'm new here. Certainly, the fact that I never contributed code to the open-source project which wasn't started by me doesn't help). > > > > Ideally, users want Tomcat listed here: https://certbot.eff.org/ as a > > fully > > supported server. > > > > > > > > > > > > > > > > > > Le sam. 19 déc. 2020 à 15:24, Mladen Adamović < > mladen.adamo...@gmail.com > > > > > > a > > > écrit : > > > > > > > On Sat, Dec 19, 2020 at 2:29 PM Christopher Schultz < > > > > ch...@christopherschultz.net> wrote: > > > > > > > > > Why not use cron? You can do this with a single "curl" command and > > the > > > > > Manager+JMXProxyServlet. > > > > > > > > > > > > > We are not using Tomcat manager app. > > > > > > > > Why someone should be forced to use Manager, to read/setup the > > > > documentation regarding JMXProxyServlet, create an additional > > > > servlet (where does it have dependency on?) only to reload > > automatically > > > > certificates? > > > > > > > > I'm proposing a solution with the simple SSLHostConfig parameter. > It's > > a > > > > user friendly. Simple, intuitive. > > > > No need for using manager, no need to create a specific servlet > > somewhere > > > > in your code. Just a single server.xml argument. > > > > > > > > Also, *another idea*, I'm contributing this code (see below) we are > > using > > > > for Letsencrypt ACME challenge. > > > > Tomcat could also have an option, i.e. in web.xml to automatically > > > support > > > > Letsencrypt ACME challenge. > > > > Idea for web.xml > > > > <servlet> > > > > <servlet-name>Letsencrypt-acme</servlet-name> > > > > > > > > > > > > > > > > > > <servlet-class>org.apache.catalina.servlets.LetsencryptAcmeChallenge</servlet-class> > > > > <init-param> > > > > etc. > > > > </servlet> > > > > > > > > > > > > We are using > > > > @WebServlet(name = "LetsencryptAcmeChallenge", urlPatterns = > > > > {"/.well-known/acme-challenge/*"}) > > > > public class LetsencryptAcmeChallenge extends HttpServlet { > > > > > > > > /** > > > > * Processes requests for both HTTP <code>GET</code> and > > > > <code>POST</code> methods. > > > > * > > > > * @param request servlet request > > > > * @param response servlet response > > > > * @throws ServletException if a servlet-specific error occurs > > > > * @throws IOException if an I/O error occurs > > > > */ > > > > protected void processRequest(HttpServletRequest request, > > > > HttpServletResponse response) > > > > throws ServletException, IOException { > > > > String requestUrl = request.getRequestURL().toString(); > > > > if (requestUrl.contains(".well-known/acme-challenge/")) { > > > > int indexFilename = requestUrl.lastIndexOf("/") + 1; > > > > boolean wasError = true; > > > > if (indexFilename > 0 && indexFilename < requestUrl.length()) { > > > > String filename = requestUrl.substring(indexFilename); > > > > File existingFile = new > > > > File("/tmp/letsencrypt/public_html/.well-known/acme-challenge/" + > > > > filename); > > > > if (existingFile.exists()) { > > > > response.setContentType("text/plain"); > > > > OutputStream out = response.getOutputStream(); > > > > FileInputStream in = new FileInputStream(existingFile); > > > > FilesOperations.inputStreamToOutputStream(in, out); > > > > wasError = false; > > > > } > > > > } > > > > if (wasError) { > > > > throw new ServletException("invalid requestUrl " + > requestUrl); > > > > } > > > > } > > > > > > > > from FilesOperations: > > > > public static void inputStreamToOutputStream(InputStream in, > > > > OutputStream out) throws IOException { > > > > try { > > > > byte[ ] buf = new byte[32 * 1024]; // 32K buffer > > > > int bytesRead; > > > > while ((bytesRead = in.read(buf)) != -1) { > > > > out.write(buf, 0, bytesRead); > > > > } > > > > } finally { > > > > if (in != null) { > > > > in.close(); > > > > out.close(); > > > > } > > > > } > > > > } > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Long*: > > > > > > SSL certificates have a period of expiration and in the case of > > > > > > Letsencrypt, it's set to 3 months as they think everyone should > > have > > > > the > > > > > > renewal mechanism automatically. > > > > > > > > > > > > As the Letsencrypt is the most popular SSL issuing authority > > (source: > > > > > > https://trends.builtwith.com/ssl/LetsEncrypt ), I think Tomcat > > > should > > > > > have > > > > > > an integration with Letsencrypt working flawlessly. > > > > > > > > > > > > We are currently using the script to renew the certificate (I can > > > share > > > > > our > > > > > > integration details with whoever is interested, please email me > if > > > you > > > > > are > > > > > > interested), but it's restarting Tomcat. > > > > > > > > > > > > As Tomcat shall not be restarted ever (ideally), I think Tomcat > > > should > > > > > have > > > > > > an option to reload certificate, without a dependency to Tomcat > > > source > > > > > code > > > > > > and "hacks" like some available on StackOverflow: > > > > > > > > > > > > > > > > > > > > > https://stackoverflow.com/questions/5816239/how-do-i-force-tomcat-to-reload-trusted-certificates > > > > > ). > > > > > > Those hacks are no good as: > > > > > > 1) code to reload certificate should not run inside Java code, as > > > > > > letsencrypt is invoked through Linux > > > > > > 2) each application uses that Stackoverflow hack have additional > > > > compile > > > > > > and run dependency set to Tomcat (which is very bad). > > > > > > > > > > > > I have a proposal on how this should be fixed: Tomcat should > have a > > > > > > server.xml options something like certificateReloadAfterDays or > > > > > > reloadAfterDays > > > > > > > > > > > > I see this is moved to SSLHostConfig, we are still using old > > params. > > > > > > > > > > > > Do you agree on this feature? > > > > > > > > > > > > If so... I'm not lazy to try to do it myself, but as I haven't > ever > > > > > written > > > > > > Tomcat code neither know procedures (I have been coding > > > professionally > > > > > > since 2006, but I never committed to Maven or Git project before, > > > lol), > > > > > is > > > > > > there someone else who is keen on doing this feature? > > > > > > > > > > Have a look at this: > > > > > http://tomcat.apache.org/presentations.html#latest-lets-encrypt > > > > > > > > > > -chris > > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > > > > > For additional commands, e-mail: dev-h...@tomcat.apache.org > > > > > > > > > > > > > > > > > > > >
