Reloading SSL Certificates Without Restarting the Node
When the SSL certificate on a node is about to expire it must be replaced with a newer one. This can be done by using the SSL_RELOAD
command which enables replacing the SSL certificate without restarting the node. This allows the cluster to run uninterrupted during SSL certificate reloading.
SSL_RELOAD
This command performs the action on the node where it is executed. It reads the values of ssl_key
, ssl_cert
, ssl_ca
and ssl_capath
from the config file and tries to initialize new SSL contexts. If successful, new contexts are used, else the existing SSL contexts remain as-is. This command requires the SUPER
privilege and is node local.
When updating the key and certificate it is recommended to give files new names different from existing rather than overwrite existing key and/or certificate files.
Existing connections are not affected by the reload.
If all SUPER
users require SSL to connect and the server certificate expires, the only way to update the key and/or certificate is to restart the node as SSL_RELOAD
requires the client to connect. If a connection exists that was created when the certificate was valid, it will continue to function.
Scenarios that require node restart:
ssl_key
andssl_cert
were not specified before reload and are specified on reload.ssl_key
andssl_cert
were specified before reload and are not specified on reload.ssl_ca
andssl_capath
were not specified before reload and are specified on reload.ssl_ca
and/orssl_capath
were specified before reload and none are specified on reload.
For information about reloads refer the variables: ssl_last_reload_attempt_time
and ssl_last_successful_reload_time