[ https://issues.apache.org/jira/browse/LOG4J2-2988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17259048#comment-17259048 ]
Matt Sicker commented on LOG4J2-2988: ------------------------------------- Having the ability to reload keys could also potentially be useful for one of the Flume appenders and any other key sources for configurations, though not a strict requirement for addressing this specific issue. I think the tricky part here is defining an appropriate key management API, though something as simple as reloading the KeyStore might be sufficient (though I'm not a big fan of KeyStore in general, it works well enough here for TLS certificates). > SocketAppender is not able to reload key and certs > -------------------------------------------------- > > Key: LOG4J2-2988 > URL: https://issues.apache.org/jira/browse/LOG4J2-2988 > Project: Log4j 2 > Issue Type: Bug > Components: Appenders > Affects Versions: 2.13.3 > Environment: java version, 11.0.9+11 > Log4j2 2.13.3 > Reporter: Yi > Priority: Major > > Hi, > We try to use log4j2 with SocketAppender and SSL configuration to stream our > logs to a dedicated server side. We use mTLS to establish a TLS connection > between the Log4j2 and the log server. In other words, there are client key > pair and certificate. In our environment, our client certificate is short > lived and the client key and certificate are automatically renewed > periodically.´And the client credentials are provided within a jks file. > However, we discovered a problem is that Log4j2 is not able to reload the key > and certificate once they are renewed, either with an updating on the current > jks file, or switching to another jks file. > We have tried to set monitor-interval in Configuration part, periodically > modify the log4j2 configuration file(e.g., update keystore file path, update > appender name etc.), and even invoke reconfiguration in our code but > unfortunately the key and certificate are not reloaded correctly. > We understand Log4j2 SslSocketManager and its parent TcpSocketManager > basically keeps a long-lived connection with the server and does not start a > new connection if the current one works fine. We observe the problem that > once the server tears down the connection, Log4j2 is not able to restablish a > connection due to the out-dated client certificate. > -- This message was sent by Atlassian Jira (v8.3.4#803005)