Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hot-reloading TLS certificates #1121

Open
cmader opened this issue Jun 5, 2024 · 3 comments
Open

Hot-reloading TLS certificates #1121

cmader opened this issue Jun 5, 2024 · 3 comments
Labels
enhancement A feature request or improvement question A question about this library or its usage

Comments

@cmader
Copy link

cmader commented Jun 5, 2024

The context

Automatically use new TLS certificate if it is updated on the file system ("hot-reload")

The question

Is it possible to force recreation of the SSL context? The background of my question is that I have a service running that uses server security with client authentication. When the server certificate expires, it automatically gets replaced but clients still see the old certificate. So, is there any way to either force recreation of the SSL context or set a maximum "lifetime" of the context? I didn't find anything about that in the grpc-spring or netty docs, but I'm sure I'm missing something.

The application's environment

Spring-boot service running on k8s.

Which versions do you use?

  • Spring (boot): 3.2.5
  • grpc-java: 1.60.0
  • grpc-spring-boot-starter: 3.1.0-RELEASE
  • java: version + architecture (64bit?) java 17, amd64
@cmader cmader added the question A question about this library or its usage label Jun 5, 2024
@cmader cmader changed the title Hot-reloading of TLS certificates Hot-reloading TLS certificates Jun 5, 2024
@ST-DDT
Copy link
Collaborator

ST-DDT commented Jun 5, 2024

Please ask this question in the https://github.com/grpc/grpc-java repo, as the feature has to be supported there first.

If they have support for that, we can add the relevant config for that here.

@ST-DDT ST-DDT added the enhancement A feature request or improvement label Jun 5, 2024
@cmader
Copy link
Author

cmader commented Jun 7, 2024

Thanks for pointing me to the grpc-java projects! Indeed, hot certificate reload is supported there with the classes AdvancedTlsX509KeyManager and AdvancedTlsX509TrustManager. I got it working with grpc-spring when I override ShadedNettyGrpcServerFactory's configureSecurity method and set instances of these classes as keyStore and trustStore of the SslContextBuilder. Then, whenever I detect a certificate change, I call the AdvancedTlsX509KeyManager's (or AdvancedTlsX509TrustManager) update method and the updated certificate is used without a server restart.

@ST-DDT
Copy link
Collaborator

ST-DDT commented Jun 8, 2024

Could you please create a PR and contribute this feature?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement A feature request or improvement question A question about this library or its usage
Projects
None yet
Development

No branches or pull requests

2 participants