Load new cert without restart
728 views
Skip to first unread message
Carl Hörberg
Jan 28, 2015, 5:56:53 AM1/28/15
to rabbitm...@googlegroups.com
We have to install a new TLS cert on a couple of servers, because the old is soon expiring. Is there a way to tell erlang/rabbitmq to load the new key/cert-chain without restart the whole server?
Michael Klishin
Jan 28, 2015, 6:03:57 AM1/28/15
to Carl Hörberg, rabbitm...@googlegroups.com
I believe the OTP ssl app doesn't let you do that as it caches stuff internally. I may be wrong, though.
MK
MK
We have to install a new TLS cert on a couple of servers, because the old is soon expiring. Is there a way to tell erlang/rabbitmq to load the new key/cert-chain without restart the whole server?
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Carl Hörberg
Jan 28, 2015, 6:04:02 AM1/28/15
to rabbitm...@googlegroups.com
Yes, with: rabbitmqctl eval 'ssl:stop(), ssl:start().'
Michael Klishin
Jan 28, 2015, 6:06:42 AM1/28/15
to Carl Hörberg, rabbitm...@googlegroups.com
Nice. Does this drop existing connections?
MK
MK
Carl Hörberg
Jan 28, 2015, 6:26:35 AM1/28/15
to Michael Klishin, Carl Hörberg, rabbitm...@googlegroups.com
Yes, it does drop existing connections unfortunately (and Ruby Bunny isn't able to automatically recover(?) but issuing b.start again reconnects properly :/ )
--You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/vrucUTvDUAA/unsubscribe.To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.To post to this group, send an email to rabbitm...@googlegroups.com.
Michael Klishin
Jan 28, 2015, 6:37:03 AM1/28/15
to Carl Hörberg, rabbitm...@googlegroups.com
I am curious what kind of exception Ruby throws in that case, Bunny handles a broad group of network and system call exceptions.
MK
MK
Carl Hörberg
Jan 28, 2015, 6:42:10 AM1/28/15
to Carl Hörberg, Michael Klishin, rabbitm...@googlegroups.com
Actually, ignore the Bunny thing, might looks like it was a continuation timeout, and not a TLS problem that tripped Bunny. (The connection was closed though when issuing ssl:stop/start)
Arun Kumar
Jul 4, 2018, 7:54:26 AM7/4/18
to rabbitmq-users
Hi,
Thank you for the command. After running the command rabbitmqctl eval "ssl:stop(), ssl:start()". the connections drops. Can you please share the windows command to recover the connections / channels etc ? I could not understand how to use b.start from your previous comment.
Michael Klishin
Aug 9, 2018, 10:06:58 AM8/9/18
to rabbitmq-users
Carl was referring to Bunny::Session#start that initiates client connection.
There seem to have been some changes in recent Erlang releases that introduce potential for certificate and key reloading
in the `ssl` app which RabbitMQ uses. See https://groups.google.com/d/msg/rabbitmq-users/AdkDZhmYtAA/wI_etbl_BAAJ.
We don't yet know if it's a documented feature and what version introduced it.
Reply all
Reply to author
Forward
0 new messages