vert.x
vert.x copied to clipboard
eclipse-vertx
Automatic certificate change detection and reload
Vert.x needs to support automatic change detection and reload for certificates, so that Vert.x servers can be used with certbot.
Currently Vert.x does not have out-of-the-box support for LetsEncrypt.org's ACME. There is an outdated project that implemented support for an older version protocol. However, a better strategy is to rely on certbot, the primary recommended ACME client, set up as a cron job to renew certificates as needed.
When used with a Vert.x server, this would require shutting down the Vert.x server and restarting it when the certificate is renewed, using certbot's --renew-hook option. Server downtime, even if brief, is not ideal.
It would be much better for Vert.x to be able to watch for changes to certificates, and reload certificates if they change.
Related:
https://groups.google.com/forum/#!topic/vertx/fLQPPAxkftM
https://github.com/eclipse-vertx/vert.x/issues/2606
An alternative to watch for changes to the certificates would be to use the --renew-hook to send a e.g. REST request using e.g. curl to the server to refresh the certificates. You could run a separate HTTP-only REST api on a different port for this purpose alone for example.
@xkr47 Yes, or you could use the Hazelcast CLI to send a message on the event bus, or (ideally) vertx-shell could be extended with a reload-certificates command.
Vert.x currently has no dynamic certificate reload support though, so that needs to be fixed first, e.g. by using your DynamicCertOptions class (which I discovered after filing this bug report). I really think this should be part of vertx-core.
(DynamicCertOptions is lower-level than DynamicCertManager but yeah sure that can be used as well.)
DynamicCertOptions would be the way to go I think, CertOptions have been designed to be extended this way.
On 11 Mar 2019, at 14:17, Jonas Berlin [email protected] wrote:
(DynamicCertOptions is lower-level but yeah sure that can be used as well.)
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/eclipse-vertx/vert.x/issues/2870#issuecomment-471534217, or mute the thread https://github.com/notifications/unsubscribe-auth/AANxigsSHv_XTd9DrNbT5qn75HwcCt-bks5vVld_gaJpZM4blLPR.
@vietj Can something like that be built into Vert.x? It's not much extra code to support reload.
I don't know yet, Ithink there is room for a vertx util based project to host things like this too
I have published a working reference implementation/demo here: Instant SSL Reloading For Vert.x I hope this is a bit useful for others who seek for a solution for this kind of use case.
There is no updating service provided by Vert.x itself, but it is possible to update and reload ssl configuration without restarting it by having a slightly different server configuration. I have provided one example of fetching the updated keystores from the file system, however it is also possible to use pem and der files. It is also possible to fetch the newly created certificates from a database or some other place.
This example is using my own library, which can be found here: SSLContext Kickstart which might be useful for others who still want to have this kind of feature of reloading ssl without restarting the server.
@vietj Do you think some of it can be used or integrated by Vert.x library to provide something like this out of the box?
thanks @Hakky54
I think we could provide in Vert.x an SPI to integrate Vertx to more easily integrate with SSLContext library
Hi everyone, I have added my input regarding reloading the ssl configuration here: https://github.com/eclipse-vertx/vert.x/issues/4452 I am curious what everyones opinion would be for the solution. Not quite sure if this is what is ok for you @vietj ?
Hi everyone, I have created a PR with changes needed for doing automatic certificate reload in Vertx server. Let me know what your thoughts are, regarding this approach https://github.com/eclipse-vertx/vert.x/pull/4519. We run a background timer to check for certificate file changes and refresh SsLContext. We allow enabling refresh per certificate basis and also setting refresh rate per cert.
@sarankk I think instead we should have an option on HttpServer to reload certificate so it can be used externally and we don't need to mess with SSL options which are already pretty crowded, e.g a method like refreshCertificate(KeyCertOptions), so any user could do that using its own periodic
Hi @vietj I also did an attempt to support this out of the box within Vertx, you can find here my latest changes on the PR https://github.com/eclipse-vertx/vert.x/pull/4453. It is inspired from the PR https://github.com/eclipse-vertx/vert.x/pull/4519 but slightly different. The ssl reloading can be enabled by setting the refresh option on the HttpServerOptions. I have added an example usage/server configuration to the PR as a comment at the bottom. Can you maybe have a look at it? I am curious whether it is something in the right direction or needs to be adjusted.