Sometimes you want to reload TLS certificate from the filesystem for a Netty-based server, without having to bounce the server. May be your certificates get renewed every now or then. Or, may be you are using a certificate manager that sends your server the temporary certificate for the time being and sends the permanent one in a few minutes.
There are multiple ways of getting a Netty-based server to reload TLS certificate from the filesystem, or rather dealing with refresh of certificates. The strategies include:
-
Shut down the existing channels on the server, based on the event that the TLS certificate changes. Hopefully the client retries and your exception handling is robust enough to make the experience seamless.
-
Write your own
SslContext
class, and have it renew itself whenever it is notified of the change in TLS certificate. -
Replace the SSL/TLS Handler from the channel pipeline on the fly, based on the event notification.
-
Close the existing channels, and propagate the errors to the client. Let the client retry, which will result in opening of a new channel using a SSL Context built from the newer material.
-
Let existing channels continue to use old certificate. New channels use an SSL Context built from the new certificate and key.
This repo contains an example that explores use of strategies #3 and #4. It takes the Echo example from Netty Repo and extends it.