The certs are only valid for 24 hours and are reloaded every 12 hours. Say a service tries to establish a connection at t = t0. This will succeed. However, when the same service tries to establish another connection at t = t0 + 13hr, it will fail because the pipeline is still running with the older cert (and not the new one which has been reloaded at the configured location).
How do I configure Logstash to reload when the certs are updated? One way would be to restart Logstash when the certs are reloaded but that doesn't sound like the best way to handle this.
I haven't tested it, but I would expect that reloading the configuration would be enough to pick up the new certificate when the input is restarted. So just touching the logstash configuration when installing the new certificate might do it.
I was interested to see that elasticsearch (but not logstash) supports hot reload of certificates. It has a thread that monitors the cert files and triggers a reload of them whenever they change. I was trying to track the history of this code in github to find when it was added and lost track about 8 years back. It may have been in xpack since the very early days.
Ahh, yes, this works, so configuring auto reload for logstash and changing the file would trigger the pipeline to be stopped and restarted without the need to restart the entire instance.
Yes, I believe that would work (modifying the config file) and is better than restarting the Logstash service. Ideally we could make Logstash watch for the cert files themselves and reload on any change.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.