Yi Gong created LOG4J2-2988:
-------------------------------
Summary: SocketAppender is not able to reload key and certs
Key: LOG4J2-2988
URL: https://issues.apache.org/jira/browse/LOG4J2-2988
Project: Log4j 2
Issue Type: Bug
Components: Appenders
Affects Versions: 2.13.3
Environment: java version, 11.0.9+11
Log4j2 2.13.3
Reporter: Yi Gong
Hi,
We try to use log4j2 with SocketAppender and SSL configuration to stream our
logs to a dedicated server side. We use mTLS to establish a TLS connection
between the Log4j2 and the log server. In other words, there are client key
pair and certificate. In our environment, our client certificate is short lived
and the client key and certificate are automatically renewed periodically.´And
the client credentials are provided within a jks file.
However, we discovered a problem is that Log4j2 is not able to reload the key
and certificate once they are renewed, either with an updating on the current
jks file, or switching to another jks file.
We have tried to set monitor-interval in Configuration part, periodically
modify the log4j2 configuration file(e.g., update keystore file path, update
appender name etc.), and even invoke reconfiguration in our code but
unfortunately the key and certificate are not reloaded correctly.
We understand Log4j2 SslSocketManager and its parent TcpSocketManager basically
keeps a long-lived connection with the server and does not start a new
connection if the current one works fine. We observe the problem that once the
server tears down the connection, Log4j2 is not able to restablish a connection
due to the out-dated client certificate.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
