[
https://issues.apache.org/jira/browse/ROCKETMQ-335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16294821#comment-16294821
]
ASF GitHub Bot commented on ROCKETMQ-335:
-----------------------------------------
zhouxinyu commented on a change in pull request #207: [ROCKETMQ-335] Reload
server certificate, private key and root ca when these are changed
URL: https://github.com/apache/rocketmq/pull/207#discussion_r157457052
##########
File path:
broker/src/main/java/org/apache/rocketmq/broker/BrokerController.java
##########
@@ -387,6 +391,45 @@ public void run() {
}
}, 1000 * 10, 1000 * 60, TimeUnit.MILLISECONDS);
}
+
+ if (TlsSystemConfig.tlsMode != TlsMode.DISABLED) {
+ // Register a listener to reload SslContext
+ try {
+ fileWatchService = new FileWatchService(
+ new String[] {
+ TlsSystemConfig.tlsServerCertPath,
+ TlsSystemConfig.tlsServerKeyPath,
+ TlsSystemConfig.tlsServerTrustCertPath
+ },
+ new FileWatchService.Listener() {
+ boolean certChanged, keyChanged = false;
+ @Override
+ public void onChanged(String path) {
+ if
(path.equals(TlsSystemConfig.tlsServerTrustCertPath)) {
+ log.info("The trust certificate changed,
reload the ssl context");
+ reloadServerSslContext();
+ }
+ if
(path.equals(TlsSystemConfig.tlsServerCertPath)) {
+ certChanged = true;
+ }
+ if
(path.equals(TlsSystemConfig.tlsServerKeyPath)) {
+ keyChanged = true;
+ }
+ if (certChanged && keyChanged) {
Review comment:
But if both certificate and private key are changed, there may have an
inconsistent period which will result in server unavailable.
And in most cases, certificate and private key will be refreshed at the same
time.
BTW, there is a better solution that reloads only when certificate and
private key are matched, but it's more complicated, considering the various
security algorithm.
So, this is a tradeoff way, simple and effective.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Reload server certificate, private key and root ca when these are changed
> -------------------------------------------------------------------------
>
> Key: ROCKETMQ-335
> URL: https://issues.apache.org/jira/browse/ROCKETMQ-335
> Project: Apache RocketMQ
> Issue Type: Improvement
> Components: rocketmq-broker, rocketmq-namesrv, rocketmq-remoting
> Reporter: yukon
> Assignee: yukon
> Fix For: 4.3.0
>
>
> Tls is supported in 4.2.0, but it doesn't support reload server certificate,
> private key and root ca when these are changed.
> This feature can allow us to update the TLS pem files without downtime.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
