Skip to content
This repository has been archived by the owner on Feb 16, 2024. It is now read-only.

Tomcat AprProtocol that automatically reloads SSLConfig

License

Notifications You must be signed in to change notification settings

schnatterer/tomcat-reloading-connector

Repository files navigation

tomcat-reloading-connector

Build Status Technical Debt

Tomcat connector that automatically reloads SSLConfig.

⚠️ Note that there now is a built-in TLSCertificateReloadListener that monitors the expiration dates of TLS certificates and trigger automatic reloading of the TLS configuration a set number of days before the TLS certificate expires. Not exactly the same functionality as provided by tomcat-reloading-connector but should also solve the problem and is officially built into tomcat.

See also Bug 65770.

How to use?

Right now, tomcat-reloading-connector offers a specialized org.apache.coyote.http11.Http11AprProtocol that watches the folder that contains the first configured certificate for changes and reloads SSLConfig on change.

Http11AprProtocol means this will only work with Apache Portable Runtime (APR) based Native library for Tomcat.

Examples

  • This repo contains a couple of examples (Tomcat, Spring Boot and embedded Tomcat, described bellow).
  • If you are looking for a more integrated solution try letsencrypt-tomcat, which combines tomcat-reloading-connector with the ACME implementation dehydrated for a fully automated certificate renewal using Tomcat and Let's Encrypt.
  • If you're planning to use certbot, this info in #3 by user cyberphone might help you getting started.

Dependency

<dependency>
  <groupId>info.schnatterer.tomcat-reloading-connector</groupId>
  <artifactId>tomcat-reloading-connector</artifactId>
  <version>0.1.0</version>
</dependency>

If you need the jar you could also download it manually, from here:

https://repo1.maven.org/maven2/info/schnatterer/tomcat-reloading-connector/reloading-connector/0.1.0/reloading-connector-0.1.0.jar

Maven Central

You can also get snapshot versions from our snapshot repository (for the most recent commit). To do so, add the following repo to your pom.xml or settings.xml:

<repository>
    <id>snapshots-repo</id>
    <url>https://oss.sonatype.org/content/repositories/snapshots</url>
    <releases><enabled>false</enabled></releases>
    <snapshots><enabled>true</enabled></snapshots>
</repository>

Usage with Tomcat

  • Drop the reloading-connector.jar into your tomcat's library folder.
  • Configure the ReloadingHttp11AprProtocol in your server.xml.
  • Example:
<Connector port="8443" protocol= "info.schnatterer.tomcat.ReloadingHttp11AprProtocol" SSLEnabled="true" >
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <SSLHostConfig>
        <Certificate certificateKeyFile="path/privkey.pem"
         certificateFile="path/cert.pem"
         certificateChainFile="path/fullchain.pem"
         type="RSA" />
    </SSLHostConfig>
</Connector>

Note that the certificates are not reloaded instantly but there is a short delay (default: 3s) to make sure all files related to the certificated (cert, key, chain) have been written and no inconsistent state is loaded by tomcat.
If you need to customize this, you can set the delay in milliseconds via the environment variable TOMCAT_DELAY_RELOAD_CERTIFICATES_MILLIS.
For example for letsencrypt the time between the creation of CSR and full chain usually is between 10-20s.

Usage with Spring Boot

  • Add the dependency to your embedded tomcat project.
  • Create a Connector with the ReloadingHttp11AprProtocol and configure it.
  • See example.

Usage with Embedded Tomcat

  • Add the dependency to your embedded tomcat project.
  • Create a Connector with the ReloadingHttp11AprProtocol and configure it.
  • See example.

Try it

Docker

CONTAINER=$(docker run --rm -p8443:8443 -d schnatterer/tomcat-reloading-connector-example)
sleep 2

# View web app
curl -k https://localhost:8443
# View cert
echo | openssl s_client -showcerts -servername localhost -connect localhost:8443 2>/dev/null | openssl x509 -inform pem -noout -text | grep -A2 Validity

# Reload certs
docker exec ${CONTAINER} /createCerts.sh
# View new cert
sleep 5
echo | openssl s_client -showcerts -servername localhost -connect localhost:8443 2>/dev/null | openssl x509 -inform pem -noout -text | grep -A2 Validity
docker stop ${CONTAINER}

If you want to build the image yourself:
(note that they are included into one Dockerfile to keep them DRY)

  • docker build . builds the spring-boot image
  • docker build --build-arg=FLAVOR=embedded-tomcat . builds the embedded tomcat image
  • docker build --build-arg=FLAVOR=standalone-tomcat . builds the standalone tomcat image

Locally

mvn package

# Copy lib binaries from bitnami image
# Or compile yourself
# https://tomcat.apache.org/tomcat-9.0-doc/apr.html
# Download: https://tomcat.apache.org/download-native.cgi
# Deps: sudo apt-get install libapr1 libapr1-dev 
CONTAINER=$(docker create bitnami/tomcat:9.0.31-debian-10-r25 )
docker cp ${CONTAINER}:/opt/bitnami/tomcat/lib /tmp
docker rm ${CONTAINER}
mkdir lib
mv /tmp/lib/libapr* /tmp/lib/libtcnative* lib

./createCerts.sh

# Start embedded tomcat
LD_LIBRARY_PATH="$(pwd)/lib:${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" java -jar examples/embedded-tomcat/target/tomcat-jar-with-dependencies.jar
# or spring boot
LD_LIBRARY_PATH="$(pwd)/lib:${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" java -jar examples/spring-boot/target/spring-boot-*.jar
# Standalone example is docker only

Releasing

./mvnw release:prepare -DreleaseVersion=0.3.0 -DdevelopmentVersion=0.3.1-SNAPSHOT

Sets versions in pom.xml, commits, tags and pushes to SCM. Travis builds tag and pushes to Maven Central.