Logstash automatic TLS Certificates reload #18892
Description
Background
Today, Logstash does not detect certificate changes at runtime. When a certificate is renewed on disk, Logstash need to be restarted to pick up the new certificate, causing downtime.
This issue tracks the work to make Logstash automatically detect and reload TLS certificates without a restart.
Scope
✅ Supported
| Component | Behaviour |
|---|---|
| Pipeline plugins (input / filter / output) | Pipelines that use SSL config keys (ssl_certificate, ssl_key, ssl_certificate_authorities, ssl_keystore_path, ssl_truststore_path) are automatically reloaded (pipelines restart) when any of their tracked cert files change on disk. |
| Central Pipeline Management (CPM) | The Elasticsearch client used to fetch pipeline configs is recreated when its TLS certs change. |
| X-Pack monitoring | The monitoring Elasticsearch client is rebuilt on cert rotation. |
❌ Not Supported
- Logstash API (
api.ssl.*) : Users who rotate the API server certificate must restart Logstash.
What Users Can Expect
Once this feature ships, with auto reload enabled config.reload.automatic: true, operators can rotate TLS certificates on disk and Logstash will:
- Detect the change automatically. No configuration changes required. Logstash automatically discovers all SSL-related file paths declared in pipeline configs and registers them for monitoring.
- Reload without a full restart. Affected pipelines are reloaded; unrelated pipelines continue processing without interruption.
- Reconnect internal clients. CPM, and monitoring clients are transparently rebuilt with the new certificate material.
Metadata
Metadata
Assignees
Type
Fields
Give feedbackNo fields configured for issues without a type.