Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Automatically hot-reload SSL certificates if keystore file changed #5019

Closed
knaccc opened this issue Jul 3, 2020 · 5 comments
Closed

Automatically hot-reload SSL certificates if keystore file changed #5019

knaccc opened this issue Jul 3, 2020 · 5 comments
Assignees

Comments

@knaccc
Copy link

knaccc commented Jul 3, 2020

With LetsEncrypt providing short-duration certificates, it is useful to be able to hot-reload the keystore using the sslContextFactory.reload method. ( See #918 )

However, in non-embedded situations (i.e. Jetty started using java start.jar), it requires the creation of a custom module and a jar file that will include the fairly straightforward code that will trigger the reload.

Please consider automatically reloading the keystore, or providing an option in ssl.ini to do so.

In embedded Jetty, that would be done like this:

SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath("keystore");
FileWatcher.onFileChange(Paths.get(URI.create(sslContextFactory.getKeyStorePath())), () -> 
        sslContextFactory.reload(scf -> log.info("Reloaded keystore")));

(The FileWatcher source is here: https://gist.github.com/danielflower/f54c2fe42d32356301c68860a4ab21ed)

@sbordet
Copy link
Contributor

sbordet commented Jul 6, 2020

We should:

  • Implement Programmatic keyfile creation and PEM file import #1826
  • use Jetty's Scanner to track the PEM files / KeyStore files
  • Provide a JMX command to reload the SslContexFactory
  • Provide a new module that does the scanning and reload - we don't want these functionalities into SslContextFactory itself

@lachlan-roberts lachlan-roberts self-assigned this Jul 6, 2020
lachlan-roberts added a commit that referenced this issue Jul 10, 2020
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
lachlan-roberts added a commit that referenced this issue Jul 10, 2020
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
lachlan-roberts added a commit that referenced this issue Jul 10, 2020
…tart.jar

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@sbordet
Copy link
Contributor

sbordet commented Jul 13, 2020

FTR, we decided that #1826 is orthogonal and more complicated to implement, so for now we only "watch" $JETTY_BASE/etc/keystore and reload SslContextFactory if it changes.

lachlan-roberts added a commit that referenced this issue Jul 15, 2020
Issue #5019 - hot-reload SSL certificates if keystore file changed
@lachlan-roberts
Copy link
Contributor

lachlan-roberts commented Jul 15, 2020

PR #5042 adds the ssl-reload module, this will be available from jetty-9.4.31

@nagarjunabattula
Copy link

nagarjunabattula commented Jan 6, 2024

Hi,
We are using the Jetty server with version 9.4.48.v20220622 standalone and core Java 17 with REST code.
We are looking to hot reload the certificates.
For this, we are getting the latest server.jks and trust.jks copying to our cert folder and using
SslContextFactory.reload(...) .

When I am checking using the curl
curl --insecure -vvI https://localhost/:/ 2>&1 | awk 'BEGIN { cert=0 } /^* SSL connection/ { cert=1 } /^*/ { if (cert) print }'
I am getting the latest cert info.
But in the browser, I am still seeing the old cert only, tried to signedout and use a private window, and checked all browsers other than Chrome still has no use.
And I have tried to use the wrong certificate still it's working as is without failing.
Could you please help me?

Please find the code and suggest me if any.

HttpConfiguration http_config = new HttpConfiguration();
http_config.setSecureScheme("https");
http_config.setSecurePort(JETTY_PORT);
SslContextFactory sslContextFactory = new SslContextFactory.Server();
sslContextFactory.setKeyStorePath(SSL_SERVER_KEY_STROKE_PATH);
sslContextFactory.setCertAlias("server");
sslContextFactory.setKeyStorePassword(SSL_KEY_STROKE_KEY);
sslContextFactory.setTrustStorePath(SSL_TRUST_KEY_STROKE_PATH);
sslContextFactory.setTrustStorePassword(SSL_KEY_STROKE_KEY);
HttpConfiguration https_config = new HttpConfiguration(http_config);
https_config.addCustomizer(new SecureRequestCustomizer());
ServerConnector https = new ServerConnector(server, new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()), new HttpConnectionFactory(https_config));
https.setPort(JETTY_PORT);
server.setConnectors(new Connector[]{https});
CertificateUtil.downloadCertificates();
Timer timer = new Timer();
final boolean[] tempVar = {true};
timer.schedule(new TimerTask() {
@OverRide
public void run() {
try {
logger.info("SSL timer scheduler start");
logger.info(sslContextFactory.toString());
logger.info("ssl context "+sslContextFactory.getSslContext());
// gets latest server.jks and trust.jks and copies to the path
CertificateUtil.copyCertificates();
logger.info("Started certificates reload");
sslContextFactory.reload(scf -> logger.info("Certificates reloaded successfully"));
logger.info("Calling reload end");
} catch (Exception e) {
logger.severe("Exception while reloading certs " + e);
}
}
}, 0, CERT_RELOAD_TIME);
logger.info("Jetty SSL successfully configured..");
} catch (Exception e){
logger.severe("Error configuring Jetty SSL.."+e);
throw e;
}
}
...
server.start();
server.join();

@joakime
Copy link
Contributor

joakime commented Jan 6, 2024

Hi,
We are using the Jetty server with version 9.4.48.v20220622 standalone and core Java 17 with REST code.
We are looking to hot reload the certificates.
For this, we are getting the latest server.jks and trust.jks copying to our cert folder and using
SslContextFactory.reload(...) .

Note: Jetty 9.x is at End of Community Support as of June 2022

You should be using Jetty 10, Jetty 11, or Jetty 12 at this point in time.

Also note that Jetty 10 and Jetty 11 has started it's Sunsetting and will be at End of Community Support in January 2025

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants