Can we avoid spring boot application restart, to refresh the certificates associated with its embedded tomcat container?

问题

With any change to the SSL certificates (in its keystore), we need to restart the spring boot application. I want to update my key store entry periodically (may be every year), but want to avoid restarting the JVM. What would it take to achieve it. I wonder if writing custom KeyManager is an acceptable practice?

回答1:

Unfortunately, this is not possible.

BUT

You have several solutions here.

Reload Tomcat connector (a bit hacky)

You can restart Tomcat connector i.e. restart 8843 is possible after you change your jssecacert file.

But I think that it is still a hack.

Reverse proxy: Nginx, Apache

This is a way to go. Your application should be behind some reverse proxy (e.g. nginx). This will give you an additional flexibility and reduce load on your app. Nginx will handle https and translate it to plain http. Anyway, you'll have to restart nginx, but nginx restart is so fast that it will be no downtime. Moreover, you could configure script to do this for you.

回答2:

On Tomcat one can use local JMX to reload SSL context:

private static final String JMX_THREAD_POOL_NAME = "*:type=ThreadPool,name=*";
private static final String JMX_OPERATION_RELOAD_SSL_HOST_CONFIGS_NAME = "reloadSslHostConfigs"; 
private void reloadSSLConfigsOnConnectors() {
    try {
        MBeanServer server = ManagementFactory.getPlatformMBeanServer();
        ObjectName objectName = new ObjectName(JMX_THREAD_POOL_NAME);
        Set<ObjectInstance> allTP = server.queryMBeans(objectName, null);
        logger.info("MBeans found: {}", allTP.size());
        allTP.forEach(tp -> reloadSSLConfigOnThreadPoolJMX(server, tp));
    } catch (Exception ex) {
        logger.error("", ex);
    }
}

private void reloadSSLConfigOnThreadPoolJMX(MBeanServer server, ObjectInstance tp) {
    try {
        logger.info("Invoking operation SSL reload on {}", tp.getObjectName());
        server.invoke(tp.getObjectName(), JMX_OPERATION_RELOAD_SSL_HOST_CONFIGS_NAME, new Object[]{}, new String[]{});
        logger.trace("Successfully invoked");
    } catch (Exception ex) {
        logger.error("Invoking SSL reload", ex);
    }
}

I'm reloading all ThreadPool SSL context, but you really only need one: Tomcat:type=ThreadPool,name=https-jsse-nio-8443. I'm just afraid the name will change, so I cover all possibilities just in case.

来源：https://stackoverflow.com/questions/39527478/can-we-avoid-spring-boot-application-restart-to-refresh-the-certificates-associ