SSL certificate automated rotation/renewal?

[Jamie Gruener <ja...@biospatial.io>]

Folks,

I've done plenty of searching, but haven't found anything addressing this issue. I have an existing SolrCloud 3 server cluster in production. We need to enable SSL/TLS encryption, both for clients and between the 3 servers. I've read through the documentation, and while I've not done it yet, it all makes sense.

Related, we're also using Consul and working up the infrastructure to use Consul Connect with sidecar proxies for client-to-service end-to-end TLS encryption. That's great because it automatically handles SSL/TLS certificate rotation without any manual interaction. But that doesn't help me with the intra-cluster SolrCloud communication.

So here's my question. How do folks handle SSL/TLS certificate rotation on SolrCloud instances in production? Update the certificate and restart solr on each box, one at a time? Just use extra long-lasting certificates? Or is there another way, like using an external truststore/keystore in Vault? I'm assuming that wouldn't work because you have to restart Solr to get the new cert, but maybe there's something I don't know?

Any thoughts welcome,

--Jamie