[
https://issues.apache.org/jira/browse/CASSANDRA-21490?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jon Meredith updated CASSANDRA-21490:
-------------------------------------
Bug Category: Parent values: Availability(12983)
Complexity: Normal
Component/s: Messaging/Client
Messaging/Internode
Discovered By: User Report
Severity: Low
Status: Open (was: Triage Needed)
> Certificates that fail to hot load should be retried
> ----------------------------------------------------
>
> Key: CASSANDRA-21490
> URL: https://issues.apache.org/jira/browse/CASSANDRA-21490
> Project: Apache Cassandra
> Issue Type: Bug
> Components: Messaging/Client, Messaging/Internode
> Reporter: Jon Meredith
> Assignee: Jon Meredith
> Priority: Normal
>
> If an updated TLS certificate is detected on the filesystem but it fails to
> load, the reload is never tried again. This can happen if the certificate
> file is overwritten with inaccessible permissions and then granted permission
> without updating the modified time.
> Reloaded certificates do not currently have their expiry checked like they
> would have on startup. To protect against an old certificate being copied
> back into place the expiry should be rechecked. To help provide operators
> with an indicator of when a certificate expires Cassandra should schedule
> emitting a log message at the expiration time.
> Elided example log
> {code}
> ERROR 2026-05-31 18:47:04,176 [ScheduledTasks:1]
> org.apache.cassandra.security.SSLFactory - Failed to hot reload the SSL
> Certificates! Please check the certificate files for
> server_encryption_options.
> java.io.IOException: Failed to create SSL context using
> server_encryption_options
> at
> org.apache.cassandra.security.SSLFactory.validateSslContext(SSLFactory.java)
> at
> org.apache.cassandra.security.SSLFactory.checkCachedContextsForReload(SSLFactory.java)
> at
> org.apache.cassandra.security.SSLFactory.checkCertFilesForHotReloading(SSLFactory.java)
> at
> org.apache.cassandra.concurrent.ExecutionFailure$1.run(ExecutionFailure.java)
> at
> java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java)
> at
> java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java)
> at
> java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java)
> at
> java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java)
> at
> java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java)
> at
> io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java)
> at java.base/java.lang.Thread.run(Thread.java)
> Caused by: javax.net.ssl.SSLException: failed to build key manager store for
> secure connections
> at
> org.apache.cassandra.security.FileBasedSslContextFactory.getKeyManagerFactory(FileBasedSslContextFactory.java)
> at
> org.apache.cassandra.security.FileBasedSslContextFactory.buildKeyManagerFactory(FileBasedSslContextFactory.java)
> at
> org.apache.cassandra.security.AbstractSslContextFactory.createNettySslContext(AbstractSslContextFactory.java)
> at
> org.apache.cassandra.security.SSLFactory.createNettySslContext(SSLFactory.java)
> at
> org.apache.cassandra.security.SSLFactory.validateSslContext(SSLFactory.java)
> ... 10 common frames omitted
> Caused by: java.nio.file.AccessDeniedException: /path/to/keystore.jks
> at
> java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java)
> at
> java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java)
> at
> java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java)
> at
> java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java)
> at java.base/java.nio.file.Files.newByteChannel(Files.java)
> at java.base/java.nio.file.Files.newByteChannel(Files.java)
> at
> java.base/java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java)
> at java.base/java.nio.file.Files.newInputStream(Files.java)
> at
> org.apache.cassandra.security.FileBasedSslContextFactory.getKeyManagerFactory(FileBasedSslContextFactory.java)
> ... 14 common frames omitted
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]