Hot reloading of new certificates without restart

Hi there,

I’m trying to see if we can use search-guard-ssl with our existing elasticsearch cluster, and am running in to the issue of not being able to reload new SSL certificates without restarting the cluster.

I realize this question has been asked before(sort of) in this thread -> , but I’m looking for a way to hot reload new SSL certificates with search-guard-ssl …Currently, we have to restart the node. Is there a way to go about this without restarting the node ? If not, would you recommend I look at a specific file to see what can be change to allow us

I was trying to prototype a change like the following in the messageReceived function in SearchGuardSSLRequestHandler

SslHandler sslhandler = (SslHandler) nettyChannel.getLowLevelChannel().pipeline().get("ssl_server");
SslHandler newSslhandler = UpdateSSLEngine();
if(newEngineNeeded(sslhandler, newSslhandler)) {
    log.debug("Updating SSL Handler for channel ID " + nettyChannel.getLowLevelChannel().id().toString());
    nettyChannel.getLowLevelChannel().pipeline().replace(sslhandler,"ssl_server", newSslhandler);
    messageReceivedDecorate(request, actualHandler, channel, task);
    return;
}

The newEngineNeeded returns true if new certificates are detected, however, am running in to connection terminations, since the replace add’s the new handler and removes the old one, triggering a close of the connection between the master and whatever else the node was connecting with.

Any ideas on how I can make this is possible ?

Neeraj

Can you describe your use case? Why you need to hot reload new certificates?

We are constantly thinking about this feature but its rarely requested and i am not sure if there is a real use case for that.

···

Am 25.04.2018 um 19:22 schrieb Neeraj Prashar <neeraj.prashar@gmail.com>:

Hi there,

I'm trying to see if we can use search-guard-ssl with our existing elasticsearch cluster, and am running in to the issue of not being able to reload new SSL certificates without restarting the cluster.

I realize this question has been asked before(sort of) in this thread -> , but I'm looking for a way to hot reload new SSL certificates with search-guard-ssl ...Currently, we have to restart the node. Is there a way to go about this without restarting the node ? If not, would you recommend I look at a specific file to see what can be change to allow us

I was trying to prototype a change like the following in the messageReceived function in SearchGuardSSLRequestHandler

SslHandler sslhandler = (SslHandler) nettyChannel.getLowLevelChannel().pipeline().get("ssl_server");
SslHandler newSslhandler = UpdateSSLEngine();
if(newEngineNeeded(sslhandler, newSslhandler)) {
    log.debug("Updating SSL Handler for channel ID " + nettyChannel.getLowLevelChannel().id().toString());
    nettyChannel.getLowLevelChannel().pipeline().replace(sslhandler,"ssl_server", newSslhandler);
    messageReceivedDecorate(request, actualHandler, channel, task);
    return;
}

The newEngineNeeded returns true if new certificates are detected, however, am running in to connection terminations, since the replace add's the new handler and removes the old one, triggering a close of the connection between the master and whatever else the node was connecting with.

Any ideas on how I can make this is possible ?

Neeraj

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/b97b7238-654c-4a43-9175-ffc382b25cde%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

We have some really big clusters and don’t want to reboot each node after updating the certificate - that’s the reason for asking.

Neeraj

···

On Wednesday, April 25, 2018 at 10:39:36 AM UTC-7, Search Guard wrote:

Can you describe your use case? Why you need to hot reload new certificates?

We are constantly thinking about this feature but its rarely requested and i am not sure if there is a real use case for that.

Am 25.04.2018 um 19:22 schrieb Neeraj Prashar neeraj....@gmail.com:

Hi there,

I’m trying to see if we can use search-guard-ssl with our existing elasticsearch cluster, and am running in to the issue of not being able to reload new SSL certificates without restarting the cluster.

I realize this question has been asked before(sort of) in this thread -> , but I’m looking for a way to hot reload new SSL certificates with search-guard-ssl …Currently, we have to restart the node. Is there a way to go about this without restarting the node ? If not, would you recommend I look at a specific file to see what can be change to allow us

I was trying to prototype a change like the following in the messageReceived function in SearchGuardSSLRequestHandler

SslHandler sslhandler = (SslHandler) nettyChannel.getLowLevelChannel().pipeline().get(“ssl_server”);

SslHandler newSslhandler = UpdateSSLEngine();

if(newEngineNeeded(sslhandler, newSslhandler)) {

log.debug("Updating SSL Handler for channel ID " + nettyChannel.getLowLevelChannel().id().toString());
nettyChannel.getLowLevelChannel().pipeline().replace(sslhandler,"ssl_server", newSslhandler);
messageReceivedDecorate(request, actualHandler, channel, task);
return;

}

The newEngineNeeded returns true if new certificates are detected, however, am running in to connection terminations, since the replace add’s the new handler and removes the old one, triggering a close of the connection between the master and whatever else the node was connecting with.

Any ideas on how I can make this is possible ?

Neeraj


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/b97b7238-654c-4a43-9175-ffc382b25cde%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

sure, but how frequently do you update the certificates? I guess less frequently than applying updates for ES or SG which forces you anyhow to take down the nodes.

···

Am 25.04.2018 um 21:14 schrieb Neeraj Prashar <neeraj.prashar@gmail.com>:

We have some really big clusters and don't want to reboot each node after updating the certificate - that's the reason for asking.

Neeraj

On Wednesday, April 25, 2018 at 10:39:36 AM UTC-7, Search Guard wrote:
Can you describe your use case? Why you need to hot reload new certificates?

We are constantly thinking about this feature but its rarely requested and i am not sure if there is a real use case for that.

> Am 25.04.2018 um 19:22 schrieb Neeraj Prashar <neeraj....@gmail.com>:
>
> Hi there,
>
> I'm trying to see if we can use search-guard-ssl with our existing elasticsearch cluster, and am running in to the issue of not being able to reload new SSL certificates without restarting the cluster.
>
> I realize this question has been asked before(sort of) in this thread -> , but I'm looking for a way to hot reload new SSL certificates with search-guard-ssl ...Currently, we have to restart the node. Is there a way to go about this without restarting the node ? If not, would you recommend I look at a specific file to see what can be change to allow us
>
> I was trying to prototype a change like the following in the messageReceived function in SearchGuardSSLRequestHandler
>
> SslHandler sslhandler = (SslHandler) nettyChannel.getLowLevelChannel().pipeline().get("ssl_server");
> SslHandler newSslhandler = UpdateSSLEngine();
> if(newEngineNeeded(sslhandler, newSslhandler)) {
> log.debug("Updating SSL Handler for channel ID " + nettyChannel.getLowLevelChannel().id().toString());
> nettyChannel.getLowLevelChannel().pipeline().replace(sslhandler,"ssl_server", newSslhandler);
> messageReceivedDecorate(request, actualHandler, channel, task);
> return;
> }
>
>
>
> The newEngineNeeded returns true if new certificates are detected, however, am running in to connection terminations, since the replace add's the new handler and removes the old one, triggering a close of the connection between the master and whatever else the node was connecting with.
>
> Any ideas on how I can make this is possible ?
>
> Neeraj
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/b97b7238-654c-4a43-9175-ffc382b25cde%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/26469c88-2b3c-4efa-b963-dc89910635f9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.