Springboot version 3.3.9

I have configured a springboot application to use SSL bundles and enabled the hot reload functionality as below:

1. application.properties

#ssl bundle config
spring.ssl.bundle.pem.server.reload-on-update=true
spring.ssl.bundle.pem.server.keystore.certificate=file:/secret/tls.crt
spring.ssl.bundle.pem.server.keystore.private-key=file:/secret/tls.key
spring.ssl.bundle.pem.server.truststore.certificate=file:/secret/ca.crt
server.ssl.bundle=server 

2. Certificates are generated by certmanager and stored as kubernetes secrets which are then mounted into the application pods at the volume paths below:

volumeMounts:
  - mountPath: /secret
    name: volume-secret
    readOnly: true 
volumes:
  - name: volume-secret
    projected:
      defaultMode: 420
      sources:
      - secret:
          name: secret-tls-springboot-app

Observation:

1. On start up, the cert manager provisions the certs and they are mounted on the pod at /secrets and the application starts up just fine.
2. When the certificate is auto renewed by the cert manager first time the springboot SSL hot reload functionality picks up the latest changes to the certs:

{"@timestamp":"2025-03-18T16:47:19.008+00:00","classname":".springframework.boot.web.embedded.tomcat.SslConnectorCustomizer","method":"update","file":"SslConnectorCustomizer.java","line":63,"thread":"ssl-bundle-watcher","level":"DEBUG","component":"springboot-app","message":"SSL Bundle for host _default_ has been updated, reloading SSL configuration","exception":""}
{"@timestamp":"2025-03-18T16:47:19.156+00:00","classname":".apache.juli.logging.DirectJDKLog","method":"log","file":"DirectJDKLog.java","line":173,"thread":"ssl-bundle-watcher","level":"INFO","component":"springboot-app","message":"Connector [https-jsse-nio-8443], TLS virtual host [_default_], certificate type [UNDEFINED] configured from keystore [/opt/dockeruser/.keystore] using alias [tomcat] with trust store [null]","exception":""}`

3. When the certificate is auto renewed by the cert manager for a second time, the springboot hot reload functionality does not pick up the changes and application still refers to old certificates. No logs are printed and the ssl-bundle-watcher does not seem to be triggered.

Question:

Why would the SSL hot reload functionality pick up the first change to the cert files but not pick up the second one?

Springboot version 3.3.9

I have configured a springboot application to use SSL bundles and enabled the hot reload functionality as below:

1. application.properties

#ssl bundle config
spring.ssl.bundle.pem.server.reload-on-update=true
spring.ssl.bundle.pem.server.keystore.certificate=file:/secret/tls.crt
spring.ssl.bundle.pem.server.keystore.private-key=file:/secret/tls.key
spring.ssl.bundle.pem.server.truststore.certificate=file:/secret/ca.crt
server.ssl.bundle=server 

2. Certificates are generated by certmanager and stored as kubernetes secrets which are then mounted into the application pods at the volume paths below:

volumeMounts:
  - mountPath: /secret
    name: volume-secret
    readOnly: true 
volumes:
  - name: volume-secret
    projected:
      defaultMode: 420
      sources:
      - secret:
          name: secret-tls-springboot-app

Observation:

1. On start up, the cert manager provisions the certs and they are mounted on the pod at /secrets and the application starts up just fine.
2. When the certificate is auto renewed by the cert manager first time the springboot SSL hot reload functionality picks up the latest changes to the certs:

{"@timestamp":"2025-03-18T16:47:19.008+00:00","classname":".springframework.boot.web.embedded.tomcat.SslConnectorCustomizer","method":"update","file":"SslConnectorCustomizer.java","line":63,"thread":"ssl-bundle-watcher","level":"DEBUG","component":"springboot-app","message":"SSL Bundle for host _default_ has been updated, reloading SSL configuration","exception":""}
{"@timestamp":"2025-03-18T16:47:19.156+00:00","classname":".apache.juli.logging.DirectJDKLog","method":"log","file":"DirectJDKLog.java","line":173,"thread":"ssl-bundle-watcher","level":"INFO","component":"springboot-app","message":"Connector [https-jsse-nio-8443], TLS virtual host [_default_], certificate type [UNDEFINED] configured from keystore [/opt/dockeruser/.keystore] using alias [tomcat] with trust store [null]","exception":""}`

3. When the certificate is auto renewed by the cert manager for a second time, the springboot hot reload functionality does not pick up the changes and application still refers to old certificates. No logs are printed and the ssl-bundle-watcher does not seem to be triggered.

Question:

Why would the SSL hot reload functionality pick up the first change to the cert files but not pick up the second one?

• spring-boot

1 Answer 1

This issue is raised in Springboot Github and should be fixed in the future version SSL config does not watch for symlink file changes · Issue #44807 · spring-projects/spring-boot