| [jetty-users] Changing Jetty SSL server certificate on-the-flyu |
|
Hi, We use the ACME protocol with Let’s Encrypt to automatically and programmatically request and generate new server certificates for SSL in conjunction with an embedded Jetty 9 web server (the Jetty server is configured and started with
our own code, not a file based configuration). We therefore generate a new KeyStore or can modify the existing KeyStore instance with the new certificate chain. As such, every 85 days or so, we wish to programmatically either:
1.
Change the KeyStore in the SSL configuration for the HTTPS ServerConnector (in SSLContextFactory or alike) if it is possible during runtime (but the existing SSLContext must somehow be refreshed – all this must be done when the ServerConnector
is stopped and we would like to keep it running),
2.
Restart the connector if it is possible after reconfiguration (avoiding potential stops in SSLServerSocket listener),
3.
Remove and stop the existing connector, create the new connector, add it to the server and start it (the connector),
4.
Use some kind of dynamic KeyManagerFactory?
5.
Subclass SSLContextFactory or something like that… How should we go about doing it the best way? Is it even possible to do this without temporarily stopping the SSLServerSocket? Best regards, Chris |