[ 
https://issues.apache.org/jira/browse/CASSANDRA-21490?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jon Meredith updated CASSANDRA-21490:
-------------------------------------
     Bug Category: Parent values: Availability(12983)
       Complexity: Normal
      Component/s: Messaging/Client
                   Messaging/Internode
    Discovered By: User Report
         Severity: Low
           Status: Open  (was: Triage Needed)

> Certificates that fail to hot load should be retried
> ----------------------------------------------------
>
>                 Key: CASSANDRA-21490
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-21490
>             Project: Apache Cassandra
>          Issue Type: Bug
>          Components: Messaging/Client, Messaging/Internode
>            Reporter: Jon Meredith
>            Assignee: Jon Meredith
>            Priority: Normal
>
> If an updated TLS certificate is detected on the filesystem but it fails to 
> load, the reload is never tried again. This can happen if the certificate 
> file is overwritten with inaccessible permissions and then granted permission 
> without updating the modified time.
> Reloaded certificates do not currently have their expiry checked like they 
> would have on startup. To protect against an old certificate being copied 
> back into place the expiry should be rechecked. To help provide operators 
> with an indicator of when a certificate expires Cassandra should schedule 
> emitting a log message at the expiration time.
> Elided example log
> {code}
> ERROR 2026-05-31 18:47:04,176 [ScheduledTasks:1] 
> org.apache.cassandra.security.SSLFactory - Failed to hot reload the SSL 
> Certificates! Please check the certificate files for 
> server_encryption_options.
> java.io.IOException: Failed to create SSL context using 
> server_encryption_options
>         at 
> org.apache.cassandra.security.SSLFactory.validateSslContext(SSLFactory.java)
>         at 
> org.apache.cassandra.security.SSLFactory.checkCachedContextsForReload(SSLFactory.java)
>         at 
> org.apache.cassandra.security.SSLFactory.checkCertFilesForHotReloading(SSLFactory.java)
>         at 
> org.apache.cassandra.concurrent.ExecutionFailure$1.run(ExecutionFailure.java)
>         at 
> java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java)
>         at 
> java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java)
>         at 
> java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java)
>         at 
> java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java)
>         at 
> java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java)
>         at 
> io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java)
>         at java.base/java.lang.Thread.run(Thread.java)
> Caused by: javax.net.ssl.SSLException: failed to build key manager store for 
> secure connections
>         at 
> org.apache.cassandra.security.FileBasedSslContextFactory.getKeyManagerFactory(FileBasedSslContextFactory.java)
>         at 
> org.apache.cassandra.security.FileBasedSslContextFactory.buildKeyManagerFactory(FileBasedSslContextFactory.java)
>         at 
> org.apache.cassandra.security.AbstractSslContextFactory.createNettySslContext(AbstractSslContextFactory.java)
>         at 
> org.apache.cassandra.security.SSLFactory.createNettySslContext(SSLFactory.java)
>         at 
> org.apache.cassandra.security.SSLFactory.validateSslContext(SSLFactory.java)
>         ... 10 common frames omitted
> Caused by: java.nio.file.AccessDeniedException: /path/to/keystore.jks
>         at 
> java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java)
>         at 
> java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java)
>         at 
> java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java)
>         at 
> java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java)
>         at java.base/java.nio.file.Files.newByteChannel(Files.java)
>         at java.base/java.nio.file.Files.newByteChannel(Files.java)
>         at 
> java.base/java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java)
>         at java.base/java.nio.file.Files.newInputStream(Files.java)
>         at 
> org.apache.cassandra.security.FileBasedSslContextFactory.getKeyManagerFactory(FileBasedSslContextFactory.java)
>         ... 14 common frames omitted
> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to