How can I get a Netty server to reload a TLS certificate when it is renewed?
java - How can I get a Netty server to reload a TLS certificate when it is renewed? - Stack Overflow https://stackoverflow.com/questions/46803131/how-can-i-get-a-netty-server-to-reload-a-tls-certificate-when-it-is-renewed
I have a Netty-based server that uses PEM-encoded certificate files that are periodically re-issued (by Let's Encrypt). Netty fully supports loading the PEM crypto material, but when the certificate (.cer file) is later re-issued, the server needs to be restarted to see it.
I have handled this up until now by adding a custom channel init handler to add the logic to reload the cert and add an appropriate SSLHandler built from that. But now I'm wanting to use Aleph, and it expects a Netty SSLContext object for TLS.
This seems like a topical and general problem with the growing popularity of Let's Encrypt and its relatively short-lived certs, and I'd like to solve it properly. Which means a Netty-compatible way to create an SSLContext that will reload its certificate(s) if they change on disk.
Some approaches I've come up with:
Make a dynamic trust manager/trust store, then plug that into the Netty SSLContextBuilder. Could use this is a starting point https://jcalcote.wordpress.com/2010/06/22/managing-a-dynamic-java-trust-store/, and take some of the code to load the key/cert from Programmatically Obtain KeyStore from PEM (Netty’s PEM -> KeyStore logic is not public in the SSLContext class). Upside: works outside Netty too. Downside: complicated and doesn’t reuse Netty’s existing logic to load PEM keys and certs.
Add this as a Netty-supported option.
Can anyone point me to a solution, or suggest the best way forward to building one?
Answering my own question.
The answer is: don't do it at this level. Instead, have something outside the Netty stack monitor the cert, and when the cert changes remove the existing SSL handler from the pipeline and replace it with a new one with a SSLContext created from the new cert.
- Yea I have this issue, I am sure as many others. Its a PITA on the java side as it is. Although I found this way back and it may allow bypassing of the keystore. netty.io/wiki/forked-tomcat-native.html – Mr00Anderson Mar 8 at 18:33
How can I get a Netty server to reload a TLS certificate when it is renewed?的更多相关文章
- Android Netty Server
项目源码在github上,请看这里-->Android Netty Server Android netty server Start a netty server on android Dow ...
- windows FileZilla Server 开启FTP over TLS
FileZilla Server官方下载地址: https://filezilla-project.org/download.php?type=server FileZilla Server 开启FT ...
- [转帖]windows 2008 Server R2 /Win7启用TLS 1.2
来自新浪博客的 一个文章 自己很早之前曾经看过 iis的加密工具 但是当时没有认识到TLS1.2协议的问题 这里 晚上学习了一下. http://blog.sina.com.cn/s/blog_16 ...
- Go gRPC进阶-gRPC转换HTTP(十)
前言 我们通常把RPC用作内部通信,而使用Restful Api进行外部通信.为了避免写两套应用,我们使用grpc-gateway把gRPC转成HTTP.服务接收到HTTP请求后,grpc-gatew ...
- dubbo源码分析4-基于netty的dubbo协议的server
dubbo源码分析1-reference bean创建 dubbo源码分析2-reference bean发起服务方法调用 dubbo源码分析3-service bean的创建与发布 dubbo源码分 ...
- Netty与传统Server对比
前言 本文旨在介绍传统Socket服务端与NIO服务端的差异. 以餐厅服务员简单举例,每个客人对应一个请求. 传统Socket / OIO public class OioServer { @Supp ...
- Netty In Action
1 introduction 1.2 Asynchronous by design two most common ways to work with or implement an asynchro ...
- 基于Netty的私有协议栈的开发
基于Netty的私有协议栈的开发 书是人类进步的阶梯,每读一本书都使自己得以提升,以前看书都是看了就看了,当时感觉受益匪浅,时间一长就又还回到书本了!所以说,好记性不如烂笔头,以后每次看完一本书都写一 ...
- 一篇文章,读懂 Netty 的高性能架构之道
原文 Netty是一个高性能.异步事件驱动的NIO框架,它提供了对TCP.UDP和文件传输的支持,作为一个异步NIO框架,Netty的所有IO操作都是异步非阻塞的,通过Future-Listener机 ...
随机推荐
- 转载: Redis面试常问的问题
https://www.cnblogs.com/javazhiyin/p/9842571.html 近,阿音在为接下来的一场面试做准备,其中的内容包括redis,而且redis是重点内容. Redis ...
- android:duplicateParentState属性使用场景
对于这个属性的使用也是在偶然的时候发现的,之前从未使用它,所以有必要阐述一下它的用法,什么场景会要用它这个属性,在我不知道之前这个属性之前,也同样能实现效果,但是当我知道它的存在之后,我肯定在某种场景 ...
- 【搜索-剪枝-偏难】PAT-天梯赛-L3-015. 球队“食物链”
L3-015. 球队“食物链” 某国的足球联赛中有N支参赛球队,编号从1至N.联赛采用主客场双循环赛制,参赛球队两两之间在双方主场各赛一场. 联赛战罢,结果已经尘埃落定.此时,联赛主席突发奇想,希望从 ...
- 持续集成实践---基于ant+jmeter+jenkins接口CI
背景: 大纲: jmeter入门教程 jenkins入门教程 ant介绍 jmeter+ant脚本自动执行实践 接口测试CI实践
- Java锁--CyclicBarrier
转载请注明出处:http://www.cnblogs.com/skywang12345/p/3533995.html CyclicBarrier简介 CyclicBarrier是一个同步辅助类,允许一 ...
- hive 常用操作
参考:https://www.cnblogs.com/jonban/p/10779938.html Hive 启动:hive 退出:hive>quit; show databases; use ...
- vue 自定义全局组件
- Selenium常用API的使用java语言之2-环境安装之IntelliJ IDEA
1.安装IntelliJ IDEA 你可能会问,为什么不用Eclipse呢?随着发展IntelliJ IDEA有超越Eclipse的势头,JetBrains公司的IDE基本上已经一统了各家主流编程语言 ...
- CSS display详解
1.解释一下display的几个常用的属性值,inline , block, inline-block inline(行内元素): 使元素变成行内元素,拥有行内元素的特性,即可以与其他行内元素共享一行 ...
- [Dart] Manipulate Lists/Arrays in Dart
We will learn how to work with Lists using a variety of methods made available in the dart:core libr ...