[ https://issues.apache.org/jira/browse/SOLR-16743?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17845015#comment-17845015 ]
David Smiley commented on SOLR-16743: ------------------------------------- Where I work, we use rotating keys but we don't need changes as invasive as this (e.g. with the extra code/complexity added here to accompany it). At the time we used a company Java "KeyStore" that internally dynamically reloads. A bit of custom glue creates a custom SSLContext, and we call `org.apache.solr.client.solrj.impl.Http2SolrClient#setDefaultSSLConfig`. Presently I would recommend users use Managed-mesh/Istio with rotating keys, which is more scalable in terms of integration effort, complexity, maintenance than cusotmizing/configurable SSL on each and every service. > Auto reload keystore/truststore on change > ----------------------------------------- > > Key: SOLR-16743 > URL: https://issues.apache.org/jira/browse/SOLR-16743 > Project: Solr > Issue Type: Improvement > Components: Server, SolrJ > Reporter: Houston Putman > Assignee: Tomas Eduardo Fernandez Lobbe > Priority: Major > Fix For: main (10.0), 9.5 > > Time Spent: 1h > Remaining Estimate: 0h > > Currently everyone who uses Solr with SSL must restart their clusters when > new certificates are created. > Jetty comes with an > [ssl-reload|https://www.eclipse.org/jetty/documentation/jetty-10/operations-guide/index.html#og-module-ssl-reload] > module for reloading the server's keystore. > For the client we would likely need to reload the truststore, but that > requires more investigation. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org