Renew SSL certificates without restarting the server

Post here your questions about SFS2X. Here we discuss all server-side matters. For client API questions see the dedicated forums.

Moderators: Lapo, Bax

benht5am
Posts: 1
Joined: 31 Jul 2017, 11:13

Renew SSL certificates without restarting the server

Postby benht5am » 31 Jul 2017, 11:29

Hello,
is it possible to renew SSL certificate without restarting the server? We use LE certificates which are valid for 3 months and we would like to avoid restarting the server every 3 months just because of renewing the certs. I found something regarding hot renewing certs in Jetty, but is there something built in or what is the best way to do this?

Thanks
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Renew SSL certificates without restarting the server

Postby Lapo » 31 Jul 2017, 14:06

Hi,
no sorry, at the moment this is not supported.
I don't know what an "LE certificate" is but, to avoid the problem, wouldn't it be possible to use a regular 1 or 2 year certificate instead?

Cheers
Lapo
--
gotoAndPlay()
...addicted to flash games
croftie
Posts: 49
Joined: 24 Jul 2013, 08:35
Location: Algarve Portugal
Contact:

Re: Renew SSL certificates without restarting the server

Postby croftie » 31 Oct 2017, 09:16

LE certificates are (I presume) lets encrypt issued certificates and they are rapidly becoming ubiquitous. We too would like to use them with Smartfox server with hot reloading of the certificate.

The best article I have seen is https://danielflower.github.io/2017/04/08/Lets-Encrypt-Certs-with-embedded-Jetty.html.

It relates how it is possible to configure Jetty to hot reload ssl certs by calling the following SslContextFactory specially created. The example given is:

Code: Select all

Server jettyServer = new Server();
HttpConfiguration config = new HttpConfiguration();
config.addCustomizer(new SecureRequestCustomizer());
config.addCustomizer(new ForwardedRequestCustomizer());

// Create the HTTP connection
HttpConnectionFactory httpConnectionFactory = new HttpConnectionFactory(config);
ServerConnector httpConnector = new ServerConnector(jettyServer, httpConnectionFactory);
httpConnector.setPort(8080); // IP tables redirect 80 -> 8080
jettyServer.addConnector(httpConnector);

// Create the HTTPS end point
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStoreType("PKCS12");
sslContextFactory.setKeyStorePath("/opt/crickam/keystore.p12");
String keyStorePassword = FileUtils.readFileToString(new File("/opt/crickam/keystore.pw"), "UTF-8").trim();
sslContextFactory.setKeyStorePassword(keyStorePassword);
sslContextFactory.setKeyManagerPassword(keyStorePassword);
ServerConnector httpsConnector = new ServerConnector(jettyServer, sslContextFactory, new HttpConnectionFactory(config));
httpsConnector.setPort(8443); // IP tables redirect 8443 -> 443
jettyServer.addConnector(httpsConnector);


Code: Select all

sslContextFactory.reload(scf -> log.info("Reloaded SSL cert"));


Since Let's encrypt certificates are likely to continue to grow in popularity might I suggest that you give some consideration to developing a similar facility for smartfox so that ssl certs (of all stripes) can be renewed without having to reboot the server.

regards
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Renew SSL certificates without restarting the server

Postby Lapo » 05 Nov 2017, 12:01

The problem with hot-renewing SSL certificates depends on Jetty, the HTTP server embedded in SFS2X.
The dev team @Jetty have already discussed this here:
https://github.com/eclipse/jetty.project/issues/918

There are some issues for the implementation. We'll see if new releases will be able to support it.

Cheers
Lapo

--

gotoAndPlay()

...addicted to flash games
abcd
Posts: 15
Joined: 11 Jan 2008, 18:26

Re: Renew SSL certificates without restarting the server

Postby abcd » 14 Jun 2019, 18:48

Is it alreadi possible to use

Code: Select all

sslContextFactory.reload(scf -> log.info("Reloaded SSL cert"));
as it describe here https://danielflower.github.io/2017/04/ ... Jetty.html to reload jetty certificate ?

Return to “SFS2X Questions”

Who is online

Users browsing this forum: No registered users and 64 guests