java - How can I get a Netty server to reload a TLS certificate when it is renewed? - Stack Overflow https://stackoverflow.com/questions/46803131/how-can-i-get-a-netty-server-to-reload-a-tls-certificate-when-it-is-renewed

 

I have a Netty-based server that uses PEM-encoded certificate files that are periodically re-issued (by Let's Encrypt). Netty fully supports loading the PEM crypto material, but when the certificate (.cer file) is later re-issued, the server needs to be restarted to see it.

I have handled this up until now by adding a custom channel init handler to add the logic to reload the cert and add an appropriate SSLHandler built from that. But now I'm wanting to use Aleph, and it expects a Netty SSLContext object for TLS.

This seems like a topical and general problem with the growing popularity of Let's Encrypt and its relatively short-lived certs, and I'd like to solve it properly. Which means a Netty-compatible way to create an SSLContext that will reload its certificate(s) if they change on disk.

Some approaches I've come up with:

  1. Make a dynamic trust manager/trust store, then plug that into the Netty SSLContextBuilder. Could use this is a starting point https://jcalcote.wordpress.com/2010/06/22/managing-a-dynamic-java-trust-store/, and take some of the code to load the key/cert from Programmatically Obtain KeyStore from PEM (Netty’s PEM -> KeyStore logic is not public in the SSLContext class). Upside: works outside Netty too. Downside: complicated and doesn’t reuse Netty’s existing logic to load PEM keys and certs.

  2. Add this as a Netty-supported option.

Can anyone point me to a solution, or suggest the best way forward to building one?

Answering my own question.

The answer is: don't do it at this level. Instead, have something outside the Netty stack monitor the cert, and when the cert changes remove the existing SSL handler from the pipeline and replace it with a new one with a SSLContext created from the new cert.

How can I get a Netty server to reload a TLS certificate when it is renewed?的更多相关文章

  1. Android Netty Server

    项目源码在github上,请看这里-->Android Netty Server Android netty server Start a netty server on android Dow ...

  2. windows FileZilla Server 开启FTP over TLS

    FileZilla Server官方下载地址: https://filezilla-project.org/download.php?type=server FileZilla Server 开启FT ...

  3. [转帖]windows 2008 Server R2 /Win7启用TLS 1.2

    来自新浪博客的 一个文章 自己很早之前曾经看过 iis的加密工具 但是当时没有认识到TLS1.2协议的问题 这里 晚上学习了一下.  http://blog.sina.com.cn/s/blog_16 ...

  4. Go gRPC进阶-gRPC转换HTTP(十)

    前言 我们通常把RPC用作内部通信,而使用Restful Api进行外部通信.为了避免写两套应用,我们使用grpc-gateway把gRPC转成HTTP.服务接收到HTTP请求后,grpc-gatew ...

  5. dubbo源码分析4-基于netty的dubbo协议的server

    dubbo源码分析1-reference bean创建 dubbo源码分析2-reference bean发起服务方法调用 dubbo源码分析3-service bean的创建与发布 dubbo源码分 ...

  6. Netty与传统Server对比

    前言 本文旨在介绍传统Socket服务端与NIO服务端的差异. 以餐厅服务员简单举例,每个客人对应一个请求. 传统Socket / OIO public class OioServer { @Supp ...

  7. Netty In Action

    1 introduction 1.2 Asynchronous by design two most common ways to work with or implement an asynchro ...

  8. 基于Netty的私有协议栈的开发

    基于Netty的私有协议栈的开发 书是人类进步的阶梯,每读一本书都使自己得以提升,以前看书都是看了就看了,当时感觉受益匪浅,时间一长就又还回到书本了!所以说,好记性不如烂笔头,以后每次看完一本书都写一 ...

  9. 一篇文章,读懂 Netty 的高性能架构之道

    原文 Netty是一个高性能.异步事件驱动的NIO框架,它提供了对TCP.UDP和文件传输的支持,作为一个异步NIO框架,Netty的所有IO操作都是异步非阻塞的,通过Future-Listener机 ...

随机推荐

  1. 【leetcode】544. Output Contest Matches

    原题 During the NBA playoffs, we always arrange the rather strong team to play with the rather weak te ...

  2. MVC-区域(Area)

    1.启用路由前的准备工作 1.Global.asax.cs中注册路由 public class MvcApplication : System.Web.HttpApplication { protec ...

  3. 初始化springbean

    public class SMSMessageHandler implements InitializingBean { @Overridepublic void afterPropertiesSet ...

  4. linux下的缓存机制buffer、cache、swap - 运维总结 ["Cannot allocate memory"问题]

    一.缓存机制介绍 在Linux系统中,为了提高文件系统性能,内核利用一部分物理内存分配出缓冲区,用于缓存系统操作和数据文件,当内核收到读写的请求时,内核先去缓存区找是否有请求的数据,有就直接返回,如果 ...

  5. 1.利用BeanMap进行对象与Map的相互转换

    javabean与map的转换有很多种方式,比如: 1.通过ObjectMapper先将bean转换为json,再将json转换为map,但是这种方法比较绕,且效率很低,经测试,循环转换10000个b ...

  6. linux网络编程之posix条件变量

    今天来学习posix的最后一个相关知识----条件变量,言归正传. 下面用一个图来进一步描述条件变量的作用: 为什么呢? 这实际上可以解决生产者与消费者问题,而且对于缓冲区是无界的是一种比较理解的解决 ...

  7. 【克鲁斯卡尔蒜法-最小生成树算法】-zzuli-2271 -Problem -E-魔法交流活动

    问题 E: 魔法交流活动 题目描述 魔法学校近日开展了主题为“天气晴朗”的魔法交流活动.N名魔法师按阵法站好,之后选取N - 1条魔法链将所有魔法师的魔力连接起来,形成一个魔法阵.魔法链是做法成功与否 ...

  8. 05-Docker私有仓库

    一.介绍私有仓库顾名思义,如果我们不想把docker镜像公开放到公有仓库中,只想在部门或团队内部共享docker镜像,这时私有仓库就来了. 二.私有仓库搭建与配置1.拉取私有仓库镜像,这里说明一下,私 ...

  9. css3多列布局瀑布流加载样式

    看了一些网站的瀑布流加载,正好看到css3的多列属性,尝试着写了一个css做布局的瀑布流. 直接上代码: <!DOCTYPE html> <html lang="en&qu ...

  10. 61、springmvc-异步请求-返回DeferredResult

    61.springmvc-异步请求-返回DeferredResult 61.1 DeferredResult 官方文案 61.2 使用 /** * 创建订单加入 订单处理队列 * * @return ...