Automatically hot-reload SSL certificates if keystore file changed

[knaccc]

With LetsEncrypt providing short-duration certificates, it is useful to be able to hot-reload the keystore using the sslContextFactory.reload method. ( See #918 )

However, in non-embedded situations (i.e. Jetty started using java start.jar), it requires the creation of a custom module and a jar file that will include the fairly straightforward code that will trigger the reload.

Please consider automatically reloading the keystore, or providing an option in ssl.ini to do so.

In embedded Jetty, that would be done like this:

SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath("keystore");
FileWatcher.onFileChange(Paths.get(URI.create(sslContextFactory.getKeyStorePath())), () -> 
        sslContextFactory.reload(scf -> log.info("Reloaded keystore")));

(The FileWatcher source is here: https://gist.github.com/danielflower/f54c2fe42d32356301c68860a4ab21ed)

[sbordet]

We should:

• Implement Programmatic keyfile creation and PEM file import #1826
• use Jetty's Scanner to track the PEM files / KeyStore files
• Provide a JMX command to reload the SslContexFactory
• Provide a new module that does the scanning and reload - we don't want these functionalities into SslContextFactory itself

[sbordet]

FTR, we decided that #1826 is orthogonal and more complicated to implement, so for now we only "watch" $JETTY_BASE/etc/keystore and reload SslContextFactory if it changes.

[lachlan-roberts]

PR #5042 adds the ssl-reload module, this will be available from jetty-9.4.31

[nagarjunabattula]

Hi,
We are using the Jetty server with version 9.4.48.v20220622 standalone and core Java 17 with REST code.
We are looking to hot reload the certificates.
For this, we are getting the latest server.jks and trust.jks copying to our cert folder and using
SslContextFactory.reload(...) .

When I am checking using the curl
curl --insecure -vvI https://localhost/:/ 2>&1 | awk 'BEGIN { cert=0 } /^* SSL connection/ { cert=1 } /^*/ { if (cert) print }'
I am getting the latest cert info.
But in the browser, I am still seeing the old cert only, tried to signedout and use a private window, and checked all browsers other than Chrome still has no use.
And I have tried to use the wrong certificate still it's working as is without failing.
Could you please help me?

Please find the code and suggest me if any.

HttpConfiguration http_config = new HttpConfiguration();
http_config.setSecureScheme("https");
http_config.setSecurePort(JETTY_PORT);
SslContextFactory sslContextFactory = new SslContextFactory.Server();
sslContextFactory.setKeyStorePath(SSL_SERVER_KEY_STROKE_PATH);
sslContextFactory.setCertAlias("server");
sslContextFactory.setKeyStorePassword(SSL_KEY_STROKE_KEY);
sslContextFactory.setTrustStorePath(SSL_TRUST_KEY_STROKE_PATH);
sslContextFactory.setTrustStorePassword(SSL_KEY_STROKE_KEY);
HttpConfiguration https_config = new HttpConfiguration(http_config);
https_config.addCustomizer(new SecureRequestCustomizer());
ServerConnector https = new ServerConnector(server, new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()), new HttpConnectionFactory(https_config));
https.setPort(JETTY_PORT);
server.setConnectors(new Connector[]{https});
CertificateUtil.downloadCertificates();
Timer timer = new Timer();
final boolean[] tempVar = {true};
timer.schedule(new TimerTask() {
@OverRide
public void run() {
try {
logger.info("SSL timer scheduler start");
logger.info(sslContextFactory.toString());
logger.info("ssl context "+sslContextFactory.getSslContext());
// gets latest server.jks and trust.jks and copies to the path
CertificateUtil.copyCertificates();
logger.info("Started certificates reload");
sslContextFactory.reload(scf -> logger.info("Certificates reloaded successfully"));
logger.info("Calling reload end");
} catch (Exception e) {
logger.severe("Exception while reloading certs " + e);
}
}
}, 0, CERT_RELOAD_TIME);
logger.info("Jetty SSL successfully configured..");
} catch (Exception e){
logger.severe("Error configuring Jetty SSL.."+e);
throw e;
}
}
...
server.start();
server.join();

[joakime]

Hi,
We are using the Jetty server with version 9.4.48.v20220622 standalone and core Java 17 with REST code.
We are looking to hot reload the certificates.
For this, we are getting the latest server.jks and trust.jks copying to our cert folder and using
SslContextFactory.reload(...) .

Note: Jetty 9.x is at End of Community Support as of June 2022

• End of Community Support for Jetty 9.x - June 2022 #7958

You should be using Jetty 10, Jetty 11, or Jetty 12 at this point in time.

Also note that Jetty 10 and Jetty 11 has started it's Sunsetting and will be at End of Community Support in January 2025

• End of Community Support for Jetty 10 / Jetty 11 - January 2024 #10485