Home > OS >  Apache ActiveMQ Artemis 2.18 server does not reload the updated keystore with certificates
Apache ActiveMQ Artemis 2.18 server does not reload the updated keystore with certificates

Time:09-17

Apache ActiveMQ Artemis 2.18 does not reload the updated keystore with certificates. Previously we used 2.17 and it was working fine. But after the upgrade to 2.18 the Artemis instance continues to serve requests with the certificates that were provided at the startup. The keystore file changes hourly.

The exception on the client is:

Caused by: java.security.cert.CertificateExpiredException: NotAfter: Tue Sep 07 04:10:33 UTC 2021
    at java.base/sun.security.x509.CertificateValidity.valid(CertificateValidity.java:277)
    at java.base/sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:683)
    at java.base/sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190)

Exception on the server side is:

2021-09-06 09:30:41,315 WARN  [org.apache.activemq.artemis.core.server] AMQ222208: SSL handshake failed for client from /x.x.x.x:x: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown.

After Artemis server is restarted the new certificates are picked up and the Artemis instance serves the requests for one hour more until the certificates expire.

I am wondering if an additional configuration had to be applied. Or if there is a way to reload the keystore without Artemis server restart.

CodePudding user response:

This behavior was changed due to ARTEMIS-3117. Previously an instance of javax.net.ssl.SSLContext was created for every connection. This would implicitly pick up any changes to the keystore and truststore for any new connection. However, this was rather inefficient and therefore didn't scale well with lots of connections. The behavior was changed so that just one javax.net.ssl.SSLContext is created for each acceptor. However, you can still update your keystore & truststore on disk and update the broker without a restart. Simply use the reload management operation on the acceptor. This is available via JMX, the web console, Jolokia, etc.

Here's an example curl command you can use with Jolokia:

curl --user admin:admin --header "Content-Type: application/json" --request POST --data '{"type":"exec", "mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\",component=acceptors,name=\"artemis\"", "operation":"reload"}' http://localhost:8161/console/jolokia/exec

Of course you'll want to adjust the username & password as well as the broker and acceptor names for your environment.

Page link:https//www.codepudding.com/os/117992.html

Prev:POST Requests in various environments
Next:Can we use Bouncy Castle to store and use this 5 CRT files dynamically
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding