Page MenuHomeSoftware Heritage

The kafka service doesn't reload when its TLS certificates are renewed
Open, HighPublic

Description

We use let's encrypt certs for the kafka clusters. These certs have a short expiry period, so we need to update them regularly.

The automatic updates happen (30 days before expiry) but the kafka service must be notified that the update happened. Apparently, it currently doesn't.

Event Timeline

olasd triaged this task as High priority.Aug 27 2020, 12:28 PM
olasd created this task.
olasd added a comment.Fri, Sep 11, 2:33 PM

kafka can reload its keystore dynamically.

For each listener with TLS enabled, you need to call the following command:

/opt/kafka/bin/kafka-configs.sh  --bootstrap-server {broker_address} --entity-name {broker_id} --entity-type brokers --add-config listener.name.{listener_name}.ssl.keystore.location={keystore_location} --alter

This makes the listener reload the key from the keystore.