Hi,
I’m testing automatic certificate reloading, but it doesn’t seem to be working. My SSL setup is running correctly, and when I update cert.pem, key.pem, and keystore.p12, Axon Server (Community Edition) Reloads the gRPC serticifate on 8024 but does not reload Tomcat certificate from updated keystore.p12
Is there a reason why this might not be working? I don’t see any specific configuration required for cert reloading, so I’m kind of stuck.
Any ideas?
Could you share the properties you’ve used in axonserver.properties to enable SSL?
I enabled these 2 :
axoniq.axonserver.ssl.enabled=true
axoniq.axonserver.ssl.cert-chain-file=/opt/vault/axon_server/axon_server_cert.pem
axoniq.axonserver.ssl.private-key-file=/opt/vault/axon_server/axon_server_pkey.pem
security.require-ssl=true
server.ssl.key-store=/opt/axon_server/keystore.p12
server.ssl.key-store-type=PKCS12
server.ssl.key-store-password=xxxxxxxx
server.ssl.key-alias=axon-keystore
What i do is I use Vault Agent to update new .pem files then in Vault Agent template i use a command to re-generate the keystore.p12 file.
Did I understand correctly that the AxonServer certificates reload correctly, but the certificate for the UI (port 8024) does not?
For hot reload on the Tomcat side, you can use the spring.ssl.bundle.pem configuration option described here: https://spring.io/blog/2023/11/07/ssl-hot-reload-in-spring-boot-3-2-0
Basically, you provide a named tls configuration, called a bundle. These allow configuration of hot reloads.
spring.ssl.bundle.pem:
demo:
reload-on-update: true
keystore:
certificate: "certs/demo.crt"
private-key: "certs/demo.key"
Then you tell Tomcat to use that bundle:
server.ssl.bundle: "demo"
The example uses a key and cert file. It’s probably also possible to configure a PKCS12 file.
Hi Allard, Thank you very much for your help ( i’m not a java guy therefore tomcat is a mystery for me 
). That helped a lot and auto-reloading’s are working now.
Have a great day