Automatic certificate change detection and reload #2870
Comments
|
An alternative to watch for changes to the certificates would be to use the --renew-hook to send a e.g. REST request using e.g. curl to the server to refresh the certificates. You could run a separate HTTP-only REST api on a different port for this purpose alone for example. |
|
@xkr47 Yes, or you could use the Hazelcast CLI to send a message on the event bus, or (ideally) vertx-shell could be extended with a Vert.x currently has no dynamic certificate reload support though, so that needs to be fixed first, e.g. by using your |
|
(DynamicCertOptions is lower-level than DynamicCertManager but yeah sure that can be used as well.) |
|
DynamicCertOptions would be the way to go I think, CertOptions have been designed to be extended this way.
… On 11 Mar 2019, at 14:17, Jonas Berlin ***@***.***> wrote:
(DynamicCertOptions is lower-level but yeah sure that can be used as well.)
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#2870 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AANxigsSHv_XTd9DrNbT5qn75HwcCt-bks5vVld_gaJpZM4blLPR>.
|
|
@vietj Can something like that be built into Vert.x? It's not much extra code to support reload. |
|
I don't know yet, Ithink there is room for a vertx util based project to host things like this too |
|
that being said the dynamic cert options don't depend on anything |
|
Any update or workarounds for this? |
|
I have published a working reference implementation/demo here: Instant SSL Reloading For Vert.x I hope this is a bit useful for others who seek for a solution for this kind of use case. There is no updating service provided by Vert.x itself, but it is possible to update and reload ssl configuration without restarting it by having a slightly different server configuration. I have provided one example of fetching the updated keystores from the file system, however it is also possible to use pem and der files. It is also possible to fetch the newly created certificates from a database or some other place. This example is using my own library, which can be found here: SSLContext Kickstart which might be useful for others who still want to have this kind of feature of reloading ssl without restarting the server. @vietj Do you think some of it can be used or integrated by Vert.x library to provide something like this out of the box? |
|
thanks @Hakky54 I think we could provide in Vert.x an SPI to integrate Vertx to more easily integrate with |
|
Hi everyone, I have created a PR with changes needed for doing automatic certificate reload in Vertx server. Let me know what your thoughts are, regarding this approach #4519. We run a background timer to check for certificate file changes and refresh |
|
@sarankk I think instead we should have an option on HttpServer to reload certificate so it can be used externally and we don't need to mess with SSL options which are already pretty crowded, e.g a method like |
|
Hi @vietj I also did an attempt to support this out of the box within Vertx, you can find here my latest changes on the PR #4453. It is inspired from the PR #4519 but slightly different. The ssl reloading can be enabled by setting the refresh option on the HttpServerOptions. I have added an example usage/server configuration to the PR as a comment at the bottom. Can you maybe have a look at it? I am curious whether it is something in the right direction or needs to be adjusted. |
|
See #4568 |
Vert.x needs to support automatic change detection and reload for certificates, so that Vert.x servers can be used with certbot.
Currently Vert.x does not have out-of-the-box support for LetsEncrypt.org's ACME. There is an outdated project that implemented support for an older version protocol. However, a better strategy is to rely on certbot, the primary recommended ACME client, set up as a cron job to renew certificates as needed.
When used with a Vert.x server, this would require shutting down the Vert.x server and restarting it when the certificate is renewed, using certbot's
--renew-hookoption. Server downtime, even if brief, is not ideal.It would be much better for Vert.x to be able to watch for changes to certificates, and reload certificates if they change.
Related:
https://groups.google.com/forum/#!topic/vertx/fLQPPAxkftM
#2606
The text was updated successfully, but these errors were encountered: