How can I get a Netty server to reload a TLS certificate when it is renewed?
java - How can I get a Netty server to reload a TLS certificate when it is renewed? - Stack Overflow https://stackoverflow.com/questions/46803131/how-can-i-get-a-netty-server-to-reload-a-tls-certificate-when-it-is-renewed
I have a Netty-based server that uses PEM-encoded certificate files that are periodically re-issued (by Let's Encrypt). Netty fully supports loading the PEM crypto material, but when the certificate (.cer file) is later re-issued, the server needs to be restarted to see it.
I have handled this up until now by adding a custom channel init handler to add the logic to reload the cert and add an appropriate SSLHandler built from that. But now I'm wanting to use Aleph, and it expects a Netty SSLContext object for TLS.
This seems like a topical and general problem with the growing popularity of Let's Encrypt and its relatively short-lived certs, and I'd like to solve it properly. Which means a Netty-compatible way to create an SSLContext that will reload its certificate(s) if they change on disk.
Some approaches I've come up with:
Make a dynamic trust manager/trust store, then plug that into the Netty SSLContextBuilder. Could use this is a starting point https://jcalcote.wordpress.com/2010/06/22/managing-a-dynamic-java-trust-store/, and take some of the code to load the key/cert from Programmatically Obtain KeyStore from PEM (Netty’s PEM -> KeyStore logic is not public in the SSLContext class). Upside: works outside Netty too. Downside: complicated and doesn’t reuse Netty’s existing logic to load PEM keys and certs.
Add this as a Netty-supported option.
Can anyone point me to a solution, or suggest the best way forward to building one?
Answering my own question.
The answer is: don't do it at this level. Instead, have something outside the Netty stack monitor the cert, and when the cert changes remove the existing SSL handler from the pipeline and replace it with a new one with a SSLContext created from the new cert.
- Yea I have this issue, I am sure as many others. Its a PITA on the java side as it is. Although I found this way back and it may allow bypassing of the keystore. netty.io/wiki/forked-tomcat-native.html – Mr00Anderson Mar 8 at 18:33
最新文章
- EntityFramework 6 + Mysql 生成POCOs
- angular开发单页面应用--页面资源部分
- yii2使用相关记录
- HttpClient方式模拟http请求设置头
- JAVA IO 字节流与字符流
- dubbo 管理控制台 的安装 dubbo-admin
- linux下重启oracle服务:监听器和实例
- .NET中数据集的强类型化
- Java成员变量默认值
- 27.C++- 智能指针
- C# [GDI+] [API] Get Image bytes Length
- 如何将composer设置为全局变量?
- Java并发编程(五)-- Java内存模型补充
- 使用 Python 将 HTML 转成 PDF
- Fluent动网格【13】:网格光顺总结及实例
- 三 drf 认证,权限,限流,过滤,排序,分页,异常处理,接口文档,集xadmin的使用
- DBMS_OUTPUT包学习
- Vue 之 element-ui upload组件的文件类型
- 【bzoj2795】【Poi2012】A Horrible Poem
- sunstudio 12.3 on solaris 10
热门文章
- springboot 打包发布(war包)
- Django 启动报错 UnicodeDecodeError: 'utf-8' codec can't decode byte 0xc7
- pandas(四)
- Windows server 2012 利用ntdsutil工具实现AD角色转移及删除域控方法
- Java学习笔记——第1篇
- ubuntu18 搭建ftp服务器,以及文件目录权限问题
- 前端处理:elementUI 表格索引代表第几条数据
- volatile相关知识
- python - django (查询、聚合、分组)
- Appium自动化测试教程-自学网-monkey日志管理