grpc-node icon indicating copy to clipboard operation
grpc-node copied to clipboard
verified publisher icon grpc

Automatically refresh the CA and certificate/credentials without shutting down the server

Open CMCDragonkai opened this issue 4 years ago • 2 comments

Is your feature request related to a problem? Please describe.

GRPC-js is using http2 to make the underlying connection. There's a function called setupServer in src/server.ts that does this.

I want to be able to renew the certificates used by GRPC without interrupting existing connections. There is a function in node for this: https://stackoverflow.com/a/57197663/582917

Basically you use it like:

server.setSecureContext({
  ca: fs.readFileSync('chain.pem'),
  cert: fs.readFileSync('cert.pem', 'utf8'),//fullchain
  key: fs.readFileSync('privkey.pem', 'utf8')
})

Describe the solution you'd like

Ideally this function would be exposed by the grpc server object as well, so we can update the certificates with zero downtime.

I'm not sure if this would work if the server was created with non-secure credentials, because that uses http.createServer and that may not have that function.

The setSecureContext is part of the tls.Server class in Nodejs.

But if that's the case, we can just throw an exception in that case.

Or alternatively a way to access the underlying server object to do this.

CMCDragonkai avatar Apr 19 '21 11:04 CMCDragonkai

I have been informed that there is ongoing internal work to design a feature like this for the gRPC libraries in various languages. I will update this issue when I have more information about it.

murgatroid99 avatar May 06 '21 21:05 murgatroid99

There are now experimental APIs CertificateProvider, FileWatcherCertificateProvider, and createCertificateProviderServerCredentials, which can be used to dynamically update certificates on a running server.

murgatroid99 avatar Aug 12 '25 21:08 murgatroid99