Page 1 of 1
Renew SSL certificates without restarting the server
Posted: 31 Jul 2017, 11:29
by benht5am
Hello,
is it possible to renew SSL certificate without restarting the server? We use LE certificates which are valid for 3 months and we would like to avoid restarting the server every 3 months just because of renewing the certs. I found something regarding hot renewing certs in Jetty, but is there something built in or what is the best way to do this?
Thanks
Re: Renew SSL certificates without restarting the server
Posted: 31 Jul 2017, 14:06
by Lapo
Hi,
no sorry, at the moment this is not supported.
I don't know what an "LE certificate" is but, to avoid the problem, wouldn't it be possible to use a regular 1 or 2 year certificate instead?
Cheers
Re: Renew SSL certificates without restarting the server
Posted: 31 Oct 2017, 09:16
by croftie
LE certificates are (I presume) lets encrypt issued certificates and they are rapidly becoming ubiquitous. We too would like to use them with Smartfox server with hot reloading of the certificate.
The best article I have seen is
https://danielflower.github.io/2017/04/08/Lets-Encrypt-Certs-with-embedded-Jetty.html.
It relates how it is possible to configure Jetty to hot reload ssl certs by calling the following SslContextFactory specially created. The example given is:
Code: Select all
Server jettyServer = new Server();
HttpConfiguration config = new HttpConfiguration();
config.addCustomizer(new SecureRequestCustomizer());
config.addCustomizer(new ForwardedRequestCustomizer());
// Create the HTTP connection
HttpConnectionFactory httpConnectionFactory = new HttpConnectionFactory(config);
ServerConnector httpConnector = new ServerConnector(jettyServer, httpConnectionFactory);
httpConnector.setPort(8080); // IP tables redirect 80 -> 8080
jettyServer.addConnector(httpConnector);
// Create the HTTPS end point
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStoreType("PKCS12");
sslContextFactory.setKeyStorePath("/opt/crickam/keystore.p12");
String keyStorePassword = FileUtils.readFileToString(new File("/opt/crickam/keystore.pw"), "UTF-8").trim();
sslContextFactory.setKeyStorePassword(keyStorePassword);
sslContextFactory.setKeyManagerPassword(keyStorePassword);
ServerConnector httpsConnector = new ServerConnector(jettyServer, sslContextFactory, new HttpConnectionFactory(config));
httpsConnector.setPort(8443); // IP tables redirect 8443 -> 443
jettyServer.addConnector(httpsConnector);Code: Select all
sslContextFactory.reload(scf -> log.info("Reloaded SSL cert"));Since Let's encrypt certificates are likely to continue to grow in popularity might I suggest that you give some consideration to developing a similar facility for smartfox so that ssl certs (of all stripes) can be renewed without having to reboot the server.
regards
Re: Renew SSL certificates without restarting the server
Posted: 05 Nov 2017, 12:01
by Lapo
The problem with hot-renewing SSL certificates depends on Jetty, the HTTP server embedded in SFS2X.
The dev team @Jetty have already discussed this here:
https://github.com/eclipse/jetty.project/issues/918There are some issues for the implementation. We'll see if new releases will be able to support it.
Cheers
Re: Renew SSL certificates without restarting the server
Posted: 14 Jun 2019, 18:48
by abcd
Is it alreadi possible to use
Code: Select all
sslContextFactory.reload(scf -> log.info("Reloaded SSL cert")); as it describe here
https://danielflower.github.io/2017/04/ ... Jetty.html to reload jetty certificate ?