Does grpc-java supports cert reload without restarting server?

99 views
Skip to first unread message

Daisy Zhu

unread,
Feb 5, 2019, 7:38:11 PM2/5/19
to grpc.io
Does grpc-java supports cert refresh without restarting server?

Danesh Kuruppu

unread,
Feb 7, 2019, 9:52:46 AM2/7/19
to grpc.io
Hi Daisy,

Does grpc-java supports cert refresh without restarting server?

AFAIK, this is not supported yet. We need to restart the server.
Please correct me if I am wrong.

Thanks
Danesh

Daisy Zhu

unread,
Feb 7, 2019, 1:27:42 PM2/7/19
to grpc.io
Hi Danesh,

Thanks for your reply.

How do you restart your server? And seems hot rotating cert is a general requirement. Do you aware any concern that grpc hasn't supported this?

Best,
Daisy

Carl Mastrangelo

unread,
Feb 7, 2019, 2:01:01 PM2/7/19
to grpc.io
You are correct, Java doesn't support this.   However, if you are using the round robin load balancer in your client, you should be able to gracefully restart your servers with the new certificate without dropping any requests.


On Thursday, February 7, 2019 at 6:52:46 AM UTC-8, Danesh Kuruppu wrote:

Daisy Zhu

unread,
Feb 7, 2019, 2:14:32 PM2/7/19
to grpc.io
Thanks for the reply.

Is this the document  https://grpc.io/blog/loadbalancing on round robin load balancer you mentioned? For cert hot rotation which way is recommended?

1. round robin load balancer in client side 
2. implement hot cert reloading in sever side

If using method 2 are there any potential issues needed to be paid attention to?

Best,
Daisy

sanjay...@google.com

unread,
Feb 13, 2019, 1:40:50 PM2/13/19
to grpc.io
Hi Daisy

There is an issue on github  https://github.com/grpc/grpc-java/issues/5335 that talks about the same thing and possibly created by you.

There is a comment https://github.com/grpc/grpc-java/issues/5335#issuecomment-462531217 that describes an approach to achieve this. Can you verify if it works for you?

sanjay...@google.com

unread,
Feb 19, 2019, 11:57:22 AM2/19/19
to grpc.io
A gentle reminder for Daisy - were you able to verify?

Daisy Zhu

unread,
Feb 19, 2019, 1:41:19 PM2/19/19
to grpc.io
Hi,

I haven't verified. For me I think creating a new SslContextBuilder object is simpler and straightforward.

-Daisy

Sanjay Pujare

unread,
Feb 19, 2019, 1:57:48 PM2/19/19
to Daisy Zhu, grpc.io
No problem. Will you be contributing your code via a PR? 

Sanjay


--
You received this message because you are subscribed to a topic in the Google Groups "grpc.io" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/grpc-io/Yh11G6wrNtA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to grpc-io+u...@googlegroups.com.
To post to this group, send email to grp...@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/c7f2c95d-0a59-4ec7-8e33-d12d1bddc481%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Daisy Zhu

unread,
Feb 21, 2019, 8:04:15 PM2/21/19
to grpc.io
I commented on the issue. 

Thanks,
Daisy
Reply all
Reply to author
Forward
0 new messages