Tomcat connector that automatically reloads SSLConfig.
TLSCertificateReloadListener
that monitors the expiration dates of TLS certificates and trigger automatic reloading of the TLS configuration a set number of days before the TLS certificate expires.
Not exactly the same functionality as provided by tomcat-reloading-connector
but should also solve the problem and is officially built into tomcat.
See also Bug 65770.
Right now, tomcat-reloading-connector offers a specialized org.apache.coyote.http11.Http11AprProtocol
that watches
the folder that contains the first configured certificate for changes and reloads SSLConfig on change.
Http11AprProtocol
means this will only work with
Apache Portable Runtime (APR) based Native library for Tomcat.
- This repo contains a couple of examples (Tomcat, Spring Boot and embedded Tomcat, described bellow).
- If you are looking for a more integrated solution try letsencrypt-tomcat, which combines tomcat-reloading-connector with the ACME implementation dehydrated for a fully automated certificate renewal using Tomcat and Let's Encrypt.
- If you're planning to use certbot, this info in #3 by user cyberphone might help you getting started.
<dependency>
<groupId>info.schnatterer.tomcat-reloading-connector</groupId>
<artifactId>tomcat-reloading-connector</artifactId>
<version>0.1.0</version>
</dependency>
If you need the jar
you could also download it manually, from here:
https://repo1.maven.org/maven2/info/schnatterer/tomcat-reloading-connector/reloading-connector/0.1.0/reloading-connector-0.1.0.jar
You can also get snapshot versions from our snapshot repository
(for the most recent commit).
To do so, add the following repo to your pom.xml
or settings.xml
:
<repository>
<id>snapshots-repo</id>
<url>https://oss.sonatype.org/content/repositories/snapshots</url>
<releases><enabled>false</enabled></releases>
<snapshots><enabled>true</enabled></snapshots>
</repository>
- Drop the reloading-connector.jar into your tomcat's library folder.
- Configure the
ReloadingHttp11AprProtocol
in yourserver.xml
. - Example:
<Connector port="8443" protocol= "info.schnatterer.tomcat.ReloadingHttp11AprProtocol" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="path/privkey.pem"
certificateFile="path/cert.pem"
certificateChainFile="path/fullchain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
- See also example.
Note that the certificates are not reloaded instantly but there is a short delay (default: 3s) to make sure all files
related to the certificated (cert, key, chain) have been written and no inconsistent state is loaded by tomcat.
If you need to customize this, you can set the delay in milliseconds via the environment variable
TOMCAT_DELAY_RELOAD_CERTIFICATES_MILLIS
.
For example for letsencrypt the time between the creation of CSR and full chain usually is between 10-20s.
- Add the dependency to your embedded tomcat project.
- Create a
Connector
with theReloadingHttp11AprProtocol
and configure it. - See example.
- Add the dependency to your embedded tomcat project.
- Create a
Connector
with theReloadingHttp11AprProtocol
and configure it. - See example.
CONTAINER=$(docker run --rm -p8443:8443 -d schnatterer/tomcat-reloading-connector-example)
sleep 2
# View web app
curl -k https://localhost:8443
# View cert
echo | openssl s_client -showcerts -servername localhost -connect localhost:8443 2>/dev/null | openssl x509 -inform pem -noout -text | grep -A2 Validity
# Reload certs
docker exec ${CONTAINER} /createCerts.sh
# View new cert
sleep 5
echo | openssl s_client -showcerts -servername localhost -connect localhost:8443 2>/dev/null | openssl x509 -inform pem -noout -text | grep -A2 Validity
docker stop ${CONTAINER}
If you want to build the image yourself:
(note that they are included into one Dockerfile
to keep them DRY)
docker build .
builds the spring-boot imagedocker build --build-arg=FLAVOR=embedded-tomcat .
builds the embedded tomcat imagedocker build --build-arg=FLAVOR=standalone-tomcat .
builds the standalone tomcat image
mvn package
# Copy lib binaries from bitnami image
# Or compile yourself
# https://tomcat.apache.org/tomcat-9.0-doc/apr.html
# Download: https://tomcat.apache.org/download-native.cgi
# Deps: sudo apt-get install libapr1 libapr1-dev
CONTAINER=$(docker create bitnami/tomcat:9.0.31-debian-10-r25 )
docker cp ${CONTAINER}:/opt/bitnami/tomcat/lib /tmp
docker rm ${CONTAINER}
mkdir lib
mv /tmp/lib/libapr* /tmp/lib/libtcnative* lib
./createCerts.sh
# Start embedded tomcat
LD_LIBRARY_PATH="$(pwd)/lib:${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" java -jar examples/embedded-tomcat/target/tomcat-jar-with-dependencies.jar
# or spring boot
LD_LIBRARY_PATH="$(pwd)/lib:${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" java -jar examples/spring-boot/target/spring-boot-*.jar
# Standalone example is docker only
./mvnw release:prepare -DreleaseVersion=0.3.0 -DdevelopmentVersion=0.3.1-SNAPSHOT
Sets versions in pom.xml
, commits, tags and pushes to SCM. Travis builds tag and pushes to Maven Central.