Hi Sam, I never tested this, but I know about a feature already present since 3.5.5 / 3.6.0 about refreshing the keystore file content automatically. See: https://issues.apache.org/jira/browse/ZOOKEEPER-3174, https://github.com/apache/zookeeper/pull/680
This needs to be enabled by the "sslQuorumReloadCertFiles". I'm not exactly sure if this also affects the SSL encryption on the server-client communication. (also: in my case at least I usually use kerberos for authentication so I avoid using client authentication with SSL by configuring ssl.clientAuth=none, so maybe it would be less important for me to reload the truststore for the client SSL) Regards, Mate On Fri, Mar 25, 2022 at 7:40 PM Sam Lee <[email protected]> wrote: > In my zoo.cfg file, I have enabled SSL both for quorum communication and > client connections: > > sslQuorum=true > serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > ssl.quorum.keyStore.location=/path/to/keystore.jks > ssl.quorum.keyStore.password=mypassword > ssl.quorum.trustStore.location=/path/to/truststore.jks > ssl.quorum.trustStore.password=mypassword > > ssl.keyStore.location=/path/to/keystore.jks > ssl.keyStore.password=mypassword > ssl.trustStore.location=/path/to/truststore.jks > ssl.trustStore.password=mypassword > > If I subsequently edit the contents of the keystore or the truststore > file, do I need to restart ZooKeeper for the change to take effect? > > (Apache ZooKeeper version 3.6.3) >
