Hello,
is it possible to renew SSL certificate without restarting the server? We use LE certificates which are valid for 3 months and we would like to avoid restarting the server every 3 months just because of renewing the certs. I found something regarding hot renewing certs in Jetty, but is there something built in or what is the best way to do this?
Thanks
Renew SSL certificates without restarting the server
Re: Renew SSL certificates without restarting the server
Hi,
no sorry, at the moment this is not supported.
I don't know what an "LE certificate" is but, to avoid the problem, wouldn't it be possible to use a regular 1 or 2 year certificate instead?
Cheers
no sorry, at the moment this is not supported.
I don't know what an "LE certificate" is but, to avoid the problem, wouldn't it be possible to use a regular 1 or 2 year certificate instead?
Cheers
Re: Renew SSL certificates without restarting the server
LE certificates are (I presume) lets encrypt issued certificates and they are rapidly becoming ubiquitous. We too would like to use them with Smartfox server with hot reloading of the certificate.
The best article I have seen is https://danielflower.github.io/2017/04/08/Lets-Encrypt-Certs-with-embedded-Jetty.html.
It relates how it is possible to configure Jetty to hot reload ssl certs by calling the following SslContextFactory specially created. The example given is:
Since Let's encrypt certificates are likely to continue to grow in popularity might I suggest that you give some consideration to developing a similar facility for smartfox so that ssl certs (of all stripes) can be renewed without having to reboot the server.
regards
The best article I have seen is https://danielflower.github.io/2017/04/08/Lets-Encrypt-Certs-with-embedded-Jetty.html.
It relates how it is possible to configure Jetty to hot reload ssl certs by calling the following SslContextFactory specially created. The example given is:
Code: Select all
Server jettyServer = new Server();
HttpConfiguration config = new HttpConfiguration();
config.addCustomizer(new SecureRequestCustomizer());
config.addCustomizer(new ForwardedRequestCustomizer());
// Create the HTTP connection
HttpConnectionFactory httpConnectionFactory = new HttpConnectionFactory(config);
ServerConnector httpConnector = new ServerConnector(jettyServer, httpConnectionFactory);
httpConnector.setPort(8080); // IP tables redirect 80 -> 8080
jettyServer.addConnector(httpConnector);
// Create the HTTPS end point
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStoreType("PKCS12");
sslContextFactory.setKeyStorePath("/opt/crickam/keystore.p12");
String keyStorePassword = FileUtils.readFileToString(new File("/opt/crickam/keystore.pw"), "UTF-8").trim();
sslContextFactory.setKeyStorePassword(keyStorePassword);
sslContextFactory.setKeyManagerPassword(keyStorePassword);
ServerConnector httpsConnector = new ServerConnector(jettyServer, sslContextFactory, new HttpConnectionFactory(config));
httpsConnector.setPort(8443); // IP tables redirect 8443 -> 443
jettyServer.addConnector(httpsConnector);
Code: Select all
sslContextFactory.reload(scf -> log.info("Reloaded SSL cert"));
Since Let's encrypt certificates are likely to continue to grow in popularity might I suggest that you give some consideration to developing a similar facility for smartfox so that ssl certs (of all stripes) can be renewed without having to reboot the server.
regards
Re: Renew SSL certificates without restarting the server
The problem with hot-renewing SSL certificates depends on Jetty, the HTTP server embedded in SFS2X.
The dev team @Jetty have already discussed this here:
https://github.com/eclipse/jetty.project/issues/918
There are some issues for the implementation. We'll see if new releases will be able to support it.
Cheers
The dev team @Jetty have already discussed this here:
https://github.com/eclipse/jetty.project/issues/918
There are some issues for the implementation. We'll see if new releases will be able to support it.
Cheers
Re: Renew SSL certificates without restarting the server
Is it alreadi possible to use as it describe here https://danielflower.github.io/2017/04/ ... Jetty.html to reload jetty certificate ?
Code: Select all
sslContextFactory.reload(scf -> log.info("Reloaded SSL cert"));
Who is online
Users browsing this forum: No registered users and 97 guests