With LetsEncrypt providing short-duration certificates, it is useful to be able to hot-reload the keystore using the sslContextFactory.reload method. ( See #918 )
However, in non-embedded situations (i.e. Jetty started using java start.jar), it requires the creation of a custom module and a jar file that will include the fairly straightforward code that will trigger the reload.
Please consider automatically reloading the keystore, or providing an option in ssl.ini to do so.
In embedded Jetty, that would be done like this:
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath("keystore");
FileWatcher.onFileChange(Paths.get(URI.create(sslContextFactory.getKeyStorePath())), () ->
sslContextFactory.reload(scf -> log.info("Reloaded keystore")));
(The FileWatcher source is here: https://gist.github.com/danielflower/f54c2fe42d32356301c68860a4ab21ed)
We should:
Scanner to track the PEM files / KeyStore filesSslContexFactorySslContextFactory itselfFTR, we decided that #1826 is orthogonal and more complicated to implement, so for now we only "watch" $JETTY_BASE/etc/keystore and reload SslContextFactory if it changes.
PR #5042 adds the ssl-reload module, this will be available from jetty-9.4.31