Apache ActiveMQ Artemis 2.18 does not reload the updated keystore with certificates. Previously we used 2.17 and it was working fine. But after the upgrade to 2.18 the Artemis instance continues to serve requests with the certificates that were provided at the startup. The keystore file changes hourly.
The exception on the client is:
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Tue Sep 07 04:10:33 UTC 2021
at java.base/sun.security.x509.CertificateValidity.valid(CertificateValidity.java:277)
at java.base/sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:683)
at java.base/sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190)
Exception on the server side is:
2021-09-06 09:30:41,315 WARN [org.apache.activemq.artemis.core.server] AMQ222208: SSL handshake failed for client from /x.x.x.x:x: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown.
After Artemis server is restarted the new certificates are picked up and the Artemis instance serves the requests for one hour more until the certificates expire.
I am wondering if an additional configuration had to be applied. Or if there is a way to reload the keystore without Artemis server restart.
CodePudding user response:
This behavior was changed due to ARTEMIS-3117. Previously an instance of javax.net.ssl.SSLContext
was created for every connection. This would implicitly pick up any changes to the keystore and truststore for any new connection. However, this was rather inefficient and therefore didn't scale well with lots of connections. The behavior was changed so that just one javax.net.ssl.SSLContext
is created for each acceptor. However, you can still update your keystore & truststore on disk and update the broker without a restart. Simply use the reload
management operation on the acceptor. This is available via JMX, the web console, Jolokia, etc.
Here's an example curl
command you can use with Jolokia:
curl --user admin:admin --header "Content-Type: application/json" --request POST --data '{"type":"exec", "mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\",component=acceptors,name=\"artemis\"", "operation":"reload"}' http://localhost:8161/console/jolokia/exec
Of course you'll want to adjust the username & password as well as the broker and acceptor names for your environment.