Hot reloading of new certificates without restart
41 views
Skip to first unread message
Neeraj Prashar
Apr 25, 2018, 1:22:26 PM4/25/18
to Search Guard Community Forum
Hi there,
The newEngineNeeded returns true if new certificates are detected, however, am running in to connection terminations, since the replace add's the new handler and removes the old one, triggering a close of the connection between the master and whatever else the node was connecting with.
I'm trying to see if we can use search-guard-ssl with our existing elasticsearch cluster, and am running in to the issue of not being able to reload new SSL certificates without restarting the cluster.
I realize this question has been asked before(sort of) in this thread -> , but I'm looking for a way to hot reload new SSL certificates with search-guard-ssl ...Currently, we have to restart the node. Is there a way to go about this without restarting the node ? If not, would you recommend I look at a specific file to see what can be change to allow us
I was trying to prototype a change like the following in the messageReceived function in SearchGuardSSLRequestHandler
SslHandler sslhandler = (SslHandler) nettyChannel.getLowLevelChannel().pipeline().get("ssl_server");
SslHandler newSslhandler = UpdateSSLEngine();
if(newEngineNeeded(sslhandler, newSslhandler)) {
log.debug("Updating SSL Handler for channel ID " + nettyChannel.getLowLevelChannel().id().toString());
nettyChannel.getLowLevelChannel().pipeline().replace(sslhandler,"ssl_server", newSslhandler);
messageReceivedDecorate(request, actualHandler, channel, task);
return;
}
The newEngineNeeded returns true if new certificates are detected, however, am running in to connection terminations, since the replace add's the new handler and removes the old one, triggering a close of the connection between the master and whatever else the node was connecting with.
Any ideas on how I can make this is possible ?
Neeraj
SG
Apr 25, 2018, 1:39:36 PM4/25/18
to search...@googlegroups.com
Can you describe your use case? Why you need to hot reload new certificates?
We are constantly thinking about this feature but its rarely requested and i am not sure if there is a real use case for that.
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/b97b7238-654c-4a43-9175-ffc382b25cde%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
We are constantly thinking about this feature but its rarely requested and i am not sure if there is a real use case for that.
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/b97b7238-654c-4a43-9175-ffc382b25cde%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Neeraj Prashar
Apr 25, 2018, 3:14:30 PM4/25/18
to Search Guard Community Forum
We have some really big clusters and don't want to reboot each node after updating the certificate - that's the reason for asking.
Neeraj
SG
Apr 25, 2018, 5:09:19 PM4/25/18
to search...@googlegroups.com
sure, but how frequently do you update the certificates? I guess less frequently than applying updates for ES or SG which forces you anyhow to take down the nodes.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/26469c88-2b3c-4efa-b963-dc89910635f9%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages