micronaut-core icon indicating copy to clipboard operation
micronaut-core copied to clipboard

Published 20 hours ago verified publisher icon micronaut-projects

SSL Certs Reload with Refresh event not working in v3.6.0?

Open anuragdeshpande opened this issue 3 years ago • 2 comments
trafficstars

Outside of official docs, I am unable to find any references online for this config. So responding to the merge where the feature was added.

@graemerocher Thank you so much for adding this. It would really help us out in our application. I am on micronaut v3.6.0, gradle 7.3, java 11 project. However, I don't seem to be able to get this config to work.

Intent: I get new .p12 files everytime the certs are renewed. Without restarting the service, I would like to refresh the keymanagement system in the micronaut server to use the new .p12 file (public key value changes from the previous one in use).

I have tried several versions and even tried passing in the full file path. It still seems to be using the file that was included in the original build. I am attaching screenshots of my config, attempts and logs. Am I missing anything? Could you please help?

Original SSL config in application image

Logging on refresh event image

Trying full ssl.* reload image

Confirming refresh event in logs image

Application returning old value in property as response. Also tried new requests in a new browser window, different browser as well image

Trying just path refresh for SSL. Event was successfully recorded in logs, but still not using new p12 file. image

Originally posted by @anuragdeshpande in https://github.com/micronaut-projects/micronaut-core/issues/6112#issuecomment-1213625246

anuragdeshpande avatar Aug 13 '22 01:08 anuragdeshpande

First I assumed, a new file cannot be injected. Instead only the contents of the existing file to add the new cert. However, as expected, OS has a lock on the file so I cannot edit, update or delete without bringing the service down.

I have also tried mapping the cert files in docker containers to check if it was a windows/ file system thing. I am seeing same behavior in linux containers as well.

My hope is that we can map a new p12 file and trigger refresh event to point at application the new file and reload cert without needing a restart.

PS: As indicated in the documentation, the intent is to write a scheduled method. I have used a controller just for this post so as to get more control on simulation and take screenshots.

anuragdeshpande avatar Aug 13 '22 01:08 anuragdeshpande

@graemerocher I noticed that values are dropped in refresh event and only the keySet is used to refresh the application. If we track the values as well and use them to inject the updated bean instead, we can reload all config with dynamic values at runtime. Would this be a security implication if implemented at core framework level?

image

I was able to hot reload a file using refresh event by injecting the SSL Configuration bean. After a bunch of experiments this is what worked for me.

image

anuragdeshpande avatar Aug 13 '22 19:08 anuragdeshpande

@anuragdeshpande are you using micronaut.ssl or micronaut.server.ssl in the config? i think there is a bug with reloading with the former.

yawkat avatar May 11 '23 10:05 yawkat