Hi there,
I'm trying to see if we can use search-guard-ssl with our existing elasticsearch cluster, and am running in to the issue of not being able to reload new SSL certificates without restarting the cluster.
I realize this question has been asked before(sort of) in this thread -> , but I'm looking for a way to hot reload new SSL certificates with search-guard-ssl ...Currently, we have to restart the node. Is there a way to go about this without restarting the node ? If not, would you recommend I look at a specific file to see what can be change to allow us
I was trying to prototype a change like the following in the messageReceived function in SearchGuardSSLRequestHandler
SslHandler sslhandler = (SslHandler) nettyChannel.getLowLevelChannel().pipeline().get("ssl_server");
SslHandler newSslhandler = UpdateSSLEngine();
if(newEngineNeeded(sslhandler, newSslhandler)) {
log.debug("Updating SSL Handler for channel ID " + nettyChannel.getLowLevelChannel().id().toString());
nettyChannel.getLowLevelChannel().pipeline().replace(sslhandler,"ssl_server", newSslhandler);
messageReceivedDecorate(request, actualHandler, channel, task);
return;
}
The newEngineNeeded returns true if new certificates are detected, however, am running in to connection terminations, since the replace add's the new handler and removes the old one, triggering a close of the connection between the master and whatever else the node was connecting with.
Any ideas on how I can make this is possible ?
Neeraj