admin管理员组文章数量:1125299
We had stable springboot code, we were configuring tomcat to use keystore and truststore to achieve tls. But When we tried uplifting spring boot web starter from 3.0.13 to 3.2.12 , we faced issued while certificate renewal usecase. After debugging , we go to know that keystore and trustore are getting updated properly through file monitor listeners in our code, but tomcat configuration is not getting changed after using reloadSslHostConfigs method when certificates are renewed. So this issue started when we are trying to uplift spring-boot-starter-web:jar to 3.2.12. Below suspect logs we could see in our logs as below -
{"version": "1.2.0", "timestamp": "2025-01-07T08:27:46.828Z", "severity": "info", "service_id": "container-registry", "metadata": {"pod_name": "container-registry-registry-c4c5f857c-pctqr", "container_name": "sidecar", "namespace": "ns"}, "message": "Connector [https-jsse-nio-8082], TLS virtual host [_default_], certificate type [UNDEFINED] configured from keystore [/nonexistent/.keystore] using alias [tomcat] with trust store [null]"}
{"version": "1.2.0", "timestamp": "2025-01-07T08:27:46.828Z", "severity": "info", "service_id": "container-registry", "metadata": {"pod_name": "container-registry-registry-c4c5f857c-pctqr", "container_name": "sidecar", "namespace": "ns"}, "message": "Reload certificates successfully"}
Here it refers to keystore - [/nonexistent/.keystore] and trustore - null but our before working code (before uplifting) - below logs were seen -
{"version": "1.2.0", "timestamp": "2025-01-07T08:20:45.738Z", "severity": "info", "service_id": "container-registry", "metadata": {"pod_name": "container-registry-registry-5cf48b6d46-kt468", "container_name": "sidecar", "namespace": "ns"}, "message": "Connector [https-jsse-nio-8082], TLS virtual host [_default_], certificate type [UNDEFINED] configured from keystore [file:/tmp/keystore.p12] using alias [tomcat] with trust store [file:/tmp/trustStore.p12]"}
{"version": "1.2.0", "timestamp": "2025-01-07T08:20:45.739Z", "severity": "info", "service_id": "container-registry", "metadata": {"pod_name": "container-registry-registry-5cf48b6d46-kt468", "container_name": "sidecar", "namespace": "ns"}, "message": "Reload certificates successfully"}
Could you please let me know your insights what could be issue?
Below are code details -
Also We are monitoring certificates for file change and once it is detected we are updating keystore and trustore and then reloading sslhostconfig using
final Http11NioProtocol protocol = (Http11NioProtocol) TomcatConfiguration.getConnector().getProtocolHandler();
protocol.reloadSslHostConfigs();
This is how we are setting keystore and trust store inside tomcat configuration -
private void configureSsl(final TomcatServletWebServerFactory tomcat) {
checkTLSCerts();
keyStoreService.generateKeyStoreWithRetry();
keyStoreService.generateTrustStoreWithRetry();
final Ssl ssl = new Ssl();
ssl.setEnabled(true);
ssl.setKeyStoreType(KeyStoreService.KEY_STORE_TYPE);
ssl.setKeyStore(keyStoreConfiguration.getKeyStorePath());
ssl.setKeyStorePassword( keyStoreConfiguration.getKeyStorePassword());
ssl.setTrustStore(keyStoreConfiguration.getTrustStorePath());
ssl.setTrustStorePassword(keyStoreConfiguration.getKeyStorePassword());
ssl.setClientAuth(Ssl.ClientAuth.NEED);
tomcat.setSsl(ssl);
}
This code worked fine when we were using "spring boot web starter - 3.0.13",
But when I am doing it with spring-boot-starter-web:jar - 3.2.12, it started failing.
Expectations - No issues in certificate renewal
本文标签:
版权声明:本文标题:updated Keystore and trustore doesnt get picked by tomcat while uplifting spring-boot-starter-web from 3.0.13 to 3.2.12 - Stack 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1736658323a1946313.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论