hpl123 wrote:Built in lets encrypt generator for SSL:
https://www.awareim.com/forum/viewtopic ... 258#p53258
The more I learn about reverse proxying the less I am inclined to expose my Tomcat server to the world.
My limited understanding of Tomcat and SSL is that the certificates cannot be updated on the fly (that is to say the server has to be restarted) which then builds in a no more than 90 maintenance downtime cycle assuming you use Lets Encrypt. From a practicality point of view it seems better to n-tier the installation with something that can dynamically manage the certificate renewal - like NGINX with Lets Encrypt.
I haven´t really researched this for Tomcat and/but would think it´s possible to build/automate this in a some way that is resonable secure and when it comes to Tomcat restart, doing this 4.57am and tomcat being down for 30sec doesn´t really strike me as a problem (the generation of a new cert takes 10 seconds). I am currently using Letencrypt on Windows with IIS (for normal sites) and is awesome. I basically set (sat?
) it (and forgot it) and it renews every 3 months without a hitch, it´s free, I don´t have to hassle every year etc. etc. etc.. IF we could get some type of plugin (and doesn´t even have to be directly in Tomcat, what else is possible?) that would automate and enables us to use free SSL, that would be pretty great. I am not willing to sacrifice security to save a buck and some time though so if we get something for this it would have to be secure.
Another "option" of this that would help is automating more of the SSL process and integrate it into the config tool in some way. The keystore process is a mess and I always get into problems when I do it and then it´s the other problems with updating other Aware files and I just find the entire process a hassle. If we could integrate some cert provider into the config tool so we would buy/renew/update Aware etc. etc the cert with a button click, that would work for me as well.
Henrik (V8 Developer Ed. - Windows)