Reloading SSL Certificates Without Restarting the Node

When the SSL certificate on a node is about to expire it must be replaced with a newer one. This can be done by using the SSL_RELOAD command which enables replacing the SSL certificate without restarting the node. This allows the cluster to run uninterrupted during SSL certificate reloading.

SSL_RELOAD

This command performs the action on the node where it is executed. It reads  the values of ssl_key, ssl_cert, ssl_ca and ssl_capath from the config file and tries to initialize new SSL contexts. If successful, new contexts are used, else the existing SSL contexts remain as-is. This command requires the SUPER privilege and is node local.

When updating the key and certificate it is recommended to give files new names different from existing rather than overwrite existing key and/or certificate files.

Existing connections are not affected by the reload.

If all SUPER users require SSL to connect and the server certificate expires, the only way to update the key and/or certificate is to restart the node as SSL_RELOAD requires the client to connect. If a connection exists that was created when the certificate was valid, it will continue to function.

Scenarios that require node restart:

  • ssl_key and ssl_cert were not specified before reload and are specified on reload.

  • ssl_key and ssl_cert were specified before reload and are not specified on reload.

  • ssl_ca and ssl_capath were not specified before reload and are specified on reload.

  • ssl_ca and/or ssl_capath were specified before reload and none are specified on reload.

For information about reloads refer the variables: ssl_last_reload_attempt_time and ssl_last_successful_reload_time