[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    Re: updating CRL in use in tomcat
From:       Christopher Schultz <chris () christopherschultz ! net>
Date:       2019-01-31 2:03:01
Message-ID: 156d079f-0249-e233-8d1c-8a1cd1ea0756 () christopherschultz ! net
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Joesph,

On 1/30/19 16:20, Joseph Dornisch wrote:
> It appears that it is possible to have tomcat refresh it's CRL
> specified in the Connector from reading: 
> https://bz.apache.org/bugzilla/show_bug.cgi?id=60762
> 
> The bug/feature request seems to have been fixed/implemented, but I
> haven't found any documentation about how to tell Tomcat when to
> update the relevant CRL. Do you have to override the connector
> class  or use JMX? Or are there configuration options in the
> Connector itself?

There is no auto-reload option on the Connection. You will have to
trigger the reload yourself. My recommendation would be to use JMX to
trigger the reload because you don't have to write any code to do it.
You can use the Manager's JMXProxyServlet to expost JMX-over-HTTPS and
then use something like curl from a script to trigger the reload.

Take a look starting on slide 27 of this presentation:
https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Encrypt
%20Apache%20Tomcat.pdf

If you ignore the fact that the keystore is what's being replaced,
everything in there sounds like it's exactly what you want to do.

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxSV1QACgkQHPApP6U8
pFiVahAAshILG1p91YzeaezP6JZmiJt/vnXKOCOYxa3gZmv8eNLJxK77o+4JhI7R
gIeWzfWuYQpT+OeB0SVHq7lyo65TwNBM1/cayIFBRAg7Ka+rb1psh0hQyqcI4KfY
9SFrzGJdoTekDF7m4m86ntGodK8grvU4U+eGD4qOr+DA8gbDw96dpSuD1C5hGwXp
F0M/OWUeByIvI/sNXvpgyujWI5fo8e2UR/AaRWZ29B9ivQxYiYAyxqhoq5+E5/rX
/AtfP0KZEnKyFXGStug/kjTc0tDiVegEsNoluM8K90M6pQ/MlALxz9gPZT3ADo2V
NsFHZEjxgzUaJG/ye7AIrPAoPwdcYDYOxhS6toHYguTSG2GC3SXw51yZOJunwyg0
tZ9XRtCfzz6FGvJRNGYH5XoR3TJXcicuj2jCEstMOL3X2H2j/aOB0lVg/1/WzhvF
GKCcbIr4stBs4TLS3rcvQxUot4KCmxxfPNBeGmdMyww+pgM9cQOk++EYbDHtXBCA
5k4CEgcLZATsClI0ALziohXxdFNKwJeY+YAaeyNLq4kvKCtlal3ne9eZbLD1fyXm
rA2hu2lOqrwGFKP0iHNhkGt8inhlzI466t10iV9knOY5r75SvmlKxNJ0KWRvGgvW
OEMzDmF177JATSAh8Ag3An3Pik+Y03lC84fqiS+Jn7gaGSLETDE=
=UO/M
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]