[ISSUE #8920] Refactor SSL context loading process to support multiple protocols dynamic loading (#9483)

* feat(proxy): 添加 gRPC 和 Remoting 服务器的 TLS 证书热更新支持

- 在 GrpcServer 和 RemotingProtocolServer 中添加文件监视服务，用于监控 TLS 证书和密钥的变化
- 实现证书和密钥变更时重新加载 SSL 上下文的逻辑
- 优化 ProxyAndTlsProtocolNegotiator 中的 SSL 上下文加载过程
- 添加日志记录，方便调试和监控 TLS 相关操作

* refactor(proxy): 重构 gRPC 证书监控逻辑并添加单元测试

- 重构 GrpcServer 中的证书监控逻辑，提取到独立的 GrpcCertKeyFileWatchListener 类中
- 优化证书变更处理流程，提高代码可读性和维护性
- 新增 GrpcServerTest 类，为 gRPC服务器和证书监控添加单元测试- 测试覆盖了各种证书变更场景，包括单独变更和组合变更
- 验证了证书变更时 SSLContext 的重新加载和错误处理

Signed-off-by: Async <raisinata@foxmail.com>

* refactor(proxy): 重构 gRPC 证书监控逻辑并添加单元测试

- 重构 GrpcServer 中的证书监控逻辑，提取到独立的 GrpcCertKeyFileWatchListener 类中
- 优化证书变更处理流程，提高代码可读性和维护性
- 新增 GrpcServerTest 类，为 gRPC服务器和证书监控添加单元测试- 测试覆盖了各种证书变更场景，包括单独变更和组合变更
- 验证了证书变更时 SSLContext 的重新加载和错误处理

Signed-off-by: Async <raisinata@foxmail.com>

* fix: code format

Signed-off-by: Async <raisinata@foxmail.com>

* test: add test cases

Signed-off-by: Async <raisinata@foxmail.com>

* fix: code format

Signed-off-by: Async <raisinata@foxmail.com>

* refactor(proxy): 重构 TLS证书更新逻辑

- 移除 FileWatchService，改用 TlsCertificateManager 统一管理 TLS证书
- 实现 TlsContextReloadListener 接口，响应 TLS 证书更新
- 优化 GrpcServer 和 RemotingProtocolServer 中的 TLS 证书更新逻辑
- 新增单元测试验证 TLS 证书更新功能

Signed-off-by: Async <raisinata@foxmail.com>

* test(proxy): 优化 TLS 相关测试用例

- 重构了多个测试类中的重复代码- 提高了测试的可读性和维护性
- 确保在测试中正确关闭资源

Signed-off-by: Async <raisinata@foxmail.com>

* refactor(proxy): 优化代码导入结构

- 移除了不必要的导入项
- 显式导入了所有活动类，提高了代码的可读性和维护性

Signed-off-by: Async <raisinata@foxmail.com>

* update

* fix: no static

Signed-off-by: Async <raisinata@foxmail.com>

* fix: add SingletonHolder for TlsCertificateManager

Signed-off-by: Async <raisinata@foxmail.com>

* refactor

* refactor(proxy): 重构 TLS证书管理

- 将 TlsCertificateManager 实例化移至 ProxyStartup 类
- 更新 GrpcServer 和 RemotingProtocolServer 类以使用 TlsCertificateManager
- 移除冗余的 TLS 证书管理相关测试用例
- 优化 TLS 上下文重载逻辑

Signed-off-by: Async <raisinata@foxmail.com>

* refactor(proxy): 优化日志信息内容

- 将 cert file changed 日志信息改为更通用的 File changed
- 保持代码风格一致性，提高日志的可读性和维护性

Signed-off-by: Async <raisinata@foxmail.com>

* test(proxy): 重构并增强 TlsCertificateManager 测试用例- 重新设计测试用例，使用临时文件模拟证书和密钥
- 增加对 TlsCertificateManager 各种方法的单元测试
- 涉及到的测试场景包括：
  - 构造函数
  - 启动和关闭
  - 注册和注销监听器
  - 文件变更通知（证书、密钥、未知文件等）
  - 多个监听器的情况
  - 监听器抛出异常的情况
  - 增加对内部 CertKeyFileWatchListener 的测试

Signed-off-by: Async <raisinata@foxmail.com>

* refactor

* test(proxy): 优化 TlsCertificateManager 单元测试

-移除了未使用的 import 语句
- 替换了 import static语句，使其更加有序
- 删除了未使用的静态方法断言（verify、times、never）
- 重置了 mock 对象以避免测试之间的干扰

Signed-off-by: Async <raisinata@foxmail.com>

* fix format

Signed-off-by: Async <raisinata@foxmail.com>

* fix format

Signed-off-by: Async <raisinata@foxmail.com>

* fix format

Signed-off-by: Async <raisinata@foxmail.com>

* fix format

Signed-off-by: Async <raisinata@foxmail.com>

* fix format

Signed-off-by: Async <raisinata@foxmail.com>

* fix format

Signed-off-by: Async <raisinata@foxmail.com>

* fix format

Signed-off-by: Async <raisinata@foxmail.com>

* fix format

Signed-off-by: Async <raisinata@foxmail.com>

---------

Signed-off-by: Async <raisinata@foxmail.com>

Author: EnableAsync

proxy/src/main/java/org/apache/rocketmq/proxy/ProxyStartup.java

@@ -44,6 +44,7 @@
 import org.apache.rocketmq.proxy.processor.DefaultMessagingProcessor;
 import org.apache.rocketmq.proxy.processor.MessagingProcessor;
 import org.apache.rocketmq.proxy.remoting.RemotingProtocolServer;
+import org.apache.rocketmq.proxy.service.cert.TlsCertificateManager;
 import org.apache.rocketmq.remoting.protocol.RemotingCommand;
 import org.apache.rocketmq.srvutil.ServerUtil;
 
@@ -76,8 +77,13 @@ public static void main(String[] args) {
 
             MessagingProcessor messagingProcessor = createMessagingProcessor();
 
+            // tls cert update
+            TlsCertificateManager tlsCertificateManager = new TlsCertificateManager();
+            PROXY_START_AND_SHUTDOWN.appendStartAndShutdown(tlsCertificateManager);
+
             // create grpcServer
-            GrpcServer grpcServer = GrpcServerBuilder.newBuilder(executor, ConfigurationManager.getProxyConfig().getGrpcServerPort())
+            GrpcServer grpcServer = GrpcServerBuilder.newBuilder(executor,
+                    ConfigurationManager.getProxyConfig().getGrpcServerPort(), tlsCertificateManager)
                 .addService(createServiceProcessor(messagingProcessor))
                 .addService(ChannelzService.newInstance(100))
                 .addService(ProtoReflectionService.newInstance())
@@ -86,7 +92,7 @@ public static void main(String[] args) {
                 .build();
             PROXY_START_AND_SHUTDOWN.appendStartAndShutdown(grpcServer);
 
-            RemotingProtocolServer remotingServer = new RemotingProtocolServer(messagingProcessor);
+            RemotingProtocolServer remotingServer = new RemotingProtocolServer(messagingProcessor, tlsCertificateManager);
             PROXY_START_AND_SHUTDOWN.appendStartAndShutdown(remotingServer);
 
             // start servers one by one.

proxy/src/main/java/org/apache/rocketmq/proxy/grpc/GrpcServer.java

@@ -17,12 +17,17 @@
 
 package org.apache.rocketmq.proxy.grpc;
 
-import java.util.concurrent.TimeUnit;
+import com.google.common.annotations.VisibleForTesting;
 import io.grpc.Server;
 import org.apache.rocketmq.common.constant.LoggerName;
+import org.apache.rocketmq.common.utils.StartAndShutdown;
 import org.apache.rocketmq.logging.org.slf4j.Logger;
 import org.apache.rocketmq.logging.org.slf4j.LoggerFactory;
-import org.apache.rocketmq.common.utils.StartAndShutdown;
+import org.apache.rocketmq.proxy.service.cert.TlsCertificateManager;
+
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.util.concurrent.TimeUnit;
 
 public class GrpcServer implements StartAndShutdown {
     private static final Logger log = LoggerFactory.getLogger(LoggerName.PROXY_LOGGER_NAME);
@@ -33,23 +38,50 @@ public class GrpcServer implements StartAndShutdown {
 
     private final TimeUnit unit;
 
-    protected GrpcServer(Server server, long timeout, TimeUnit unit) {
+    private final TlsCertificateManager tlsCertificateManager;
+    @VisibleForTesting final GrpcTlsReloadHandler tlsReloadHandler;
+
+    protected GrpcServer(Server server, long timeout, TimeUnit unit,
+        TlsCertificateManager tlsCertificateManager) throws Exception {
         this.server = server;
         this.timeout = timeout;
         this.unit = unit;
+        this.tlsCertificateManager = tlsCertificateManager;
+        this.tlsReloadHandler = new GrpcTlsReloadHandler();
     }
 
     public void start() throws Exception {
+        // Register the TLS context reload handler
+        tlsCertificateManager.registerReloadListener(this.tlsReloadHandler);
+
         this.server.start();
         log.info("grpc server start successfully.");
     }
 
     public void shutdown() {
         try {
+            // Unregister the TLS context reload handler
+            tlsCertificateManager.unregisterReloadListener(this.tlsReloadHandler);
+
             this.server.shutdown().awaitTermination(timeout, unit);
+
             log.info("grpc server shutdown successfully.");
         } catch (Exception e) {
             e.printStackTrace();
+            log.error("Failed to shutdown grpc server", e);
+        }
+    }
+
+    @VisibleForTesting
+    class GrpcTlsReloadHandler implements TlsCertificateManager.TlsContextReloadListener {
+        @Override
+        public void onTlsContextReload() {
+            try {
+                ProxyAndTlsProtocolNegotiator.loadSslContext();
+                log.info("SslContext reloaded for grpc server");
+            } catch (CertificateException | IOException e) {
+                log.error("Failed to reload SslContext for server", e);
+            }
         }
     }
-}
+}

proxy/src/main/java/org/apache/rocketmq/proxy/grpc/GrpcServerBuilder.java

@@ -34,6 +34,7 @@
 
 import java.util.concurrent.ThreadPoolExecutor;
 import java.util.concurrent.TimeUnit;
+import org.apache.rocketmq.proxy.service.cert.TlsCertificateManager;
 
 public class GrpcServerBuilder {
     private static final Logger log = LoggerFactory.getLogger(LoggerName.PROXY_LOGGER_NAME);
@@ -43,11 +44,15 @@ public class GrpcServerBuilder {
 
     protected TimeUnit unit = TimeUnit.SECONDS;
 
-    public static GrpcServerBuilder newBuilder(ThreadPoolExecutor executor, int port) {
-        return new GrpcServerBuilder(executor, port);
+    protected TlsCertificateManager tlsCertificateManager;
+
+    public static GrpcServerBuilder newBuilder(ThreadPoolExecutor executor, int port,
+        TlsCertificateManager tlsCertificateManager) {
+        return new GrpcServerBuilder(executor, port, tlsCertificateManager);
     }
 
-    protected GrpcServerBuilder(ThreadPoolExecutor executor, int port) {
+    protected GrpcServerBuilder(ThreadPoolExecutor executor, int port, TlsCertificateManager tlsCertificateManager) {
+        this.tlsCertificateManager = tlsCertificateManager;
         serverBuilder = NettyServerBuilder.forPort(port);
 
         serverBuilder.protocolNegotiator(new ProxyAndTlsProtocolNegotiator());
@@ -71,7 +76,7 @@ protected GrpcServerBuilder(ThreadPoolExecutor executor, int port) {
         }
 
         serverBuilder.maxInboundMessageSize(maxInboundMessageSize)
-                .maxConnectionIdle(idleTimeMills, TimeUnit.MILLISECONDS);
+            .maxConnectionIdle(idleTimeMills, TimeUnit.MILLISECONDS);
 
         log.info("grpc server has built. port: {}, bossLoopNum: {}, workerLoopNum: {}, maxInboundMessageSize: {}",
             port, bossLoopNum, workerLoopNum, maxInboundMessageSize);
@@ -98,8 +103,8 @@ public GrpcServerBuilder appendInterceptor(ServerInterceptor interceptor) {
         return this;
     }
 
-    public GrpcServer build() {
-        return new GrpcServer(this.serverBuilder.build(), time, unit);
+    public GrpcServer build() throws Exception {
+        return new GrpcServer(this.serverBuilder.build(), time, unit, tlsCertificateManager);
     }
 
     public GrpcServerBuilder configInterceptor() {

proxy/src/main/java/org/apache/rocketmq/proxy/grpc/ProxyAndTlsProtocolNegotiator.java

@@ -36,16 +36,23 @@
 import io.grpc.netty.shaded.io.netty.handler.codec.haproxy.HAProxyProtocolVersion;
 import io.grpc.netty.shaded.io.netty.handler.codec.haproxy.HAProxyTLV;
 import io.grpc.netty.shaded.io.netty.handler.ssl.ClientAuth;
+import io.grpc.netty.shaded.io.netty.handler.ssl.OpenSsl;
 import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
 import io.grpc.netty.shaded.io.netty.handler.ssl.SslHandler;
+import io.grpc.netty.shaded.io.netty.handler.ssl.SslProvider;
+
 import io.grpc.netty.shaded.io.netty.handler.ssl.util.InsecureTrustManagerFactory;
 import io.grpc.netty.shaded.io.netty.handler.ssl.util.SelfSignedCertificate;
 import io.grpc.netty.shaded.io.netty.util.AsciiString;
 import io.grpc.netty.shaded.io.netty.util.CharsetUtil;
+
+import java.io.IOException;
 import java.io.InputStream;
 import java.nio.file.Files;
 import java.nio.file.Paths;
+import java.security.cert.CertificateException;
 import java.util.List;
+
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.rocketmq.common.constant.HAProxyConstants;
@@ -73,7 +80,13 @@ public class ProxyAndTlsProtocolNegotiator implements InternalProtocolNegotiator
     private static SslContext sslContext;
 
     public ProxyAndTlsProtocolNegotiator() {
-        sslContext = loadSslContext();
+        try {
+            loadSslContext();
+            log.info("SslContext created for proxy server");
+        } catch (IOException | CertificateException e) {
+            log.error("SslContext init error", e);
+            throw new RuntimeException(e);
+        }
     }
 
     @Override
@@ -90,35 +103,36 @@ public ChannelHandler newHandler(GrpcHttp2ConnectionHandler grpcHandler) {
     public void close() {
     }
 
-    private static SslContext loadSslContext() {
-        try {
-            ProxyConfig proxyConfig = ConfigurationManager.getProxyConfig();
-            if (proxyConfig.isTlsTestModeEnable()) {
-                SelfSignedCertificate selfSignedCertificate = new SelfSignedCertificate();
-                return GrpcSslContexts.forServer(selfSignedCertificate.certificate(),
-                                selfSignedCertificate.privateKey())
-                        .trustManager(InsecureTrustManagerFactory.INSTANCE)
-                        .clientAuth(ClientAuth.NONE)
-                        .build();
-            } else {
-                String tlsKeyPath = ConfigurationManager.getProxyConfig().getTlsKeyPath();
-                String tlsCertPath = ConfigurationManager.getProxyConfig().getTlsCertPath();
-                try (InputStream serverKeyInputStream = Files.newInputStream(
-                        Paths.get(tlsKeyPath));
-                     InputStream serverCertificateStream = Files.newInputStream(
-                             Paths.get(tlsCertPath))) {
-                    SslContext res = GrpcSslContexts.forServer(serverCertificateStream,
-                                    serverKeyInputStream)
-                            .trustManager(InsecureTrustManagerFactory.INSTANCE)
-                            .clientAuth(ClientAuth.NONE)
-                            .build();
-                    log.info("grpc load TLS configured OK");
-                    return res;
-                }
+    public static void loadSslContext() throws CertificateException, IOException {
+        ProxyConfig proxyConfig = ConfigurationManager.getProxyConfig();
+        SslProvider provider;
+        if (OpenSsl.isAvailable()) {
+            provider = SslProvider.OPENSSL;
+            log.info("Using OpenSSL provider");
+        } else {
+            provider = SslProvider.JDK;
+            log.info("Using JDK SSL provider");
+        }
+        if (proxyConfig.isTlsTestModeEnable()) {
+            SelfSignedCertificate selfSignedCertificate = new SelfSignedCertificate();
+            sslContext = GrpcSslContexts.forServer(selfSignedCertificate.certificate(), selfSignedCertificate.privateKey())
+                .sslProvider(provider)
+                .trustManager(InsecureTrustManagerFactory.INSTANCE)
+                .clientAuth(ClientAuth.NONE)
+                .build();
+        } else {
+            String tlsCertPath = ConfigurationManager.getProxyConfig().getTlsCertPath();
+            String tlsKeyPath = ConfigurationManager.getProxyConfig().getTlsKeyPath();
+            try (InputStream serverKeyInputStream = Files.newInputStream(
+                Paths.get(tlsKeyPath));
+                 InputStream serverCertificateStream = Files.newInputStream(
+                     Paths.get(tlsCertPath))) {
+                sslContext = GrpcSslContexts.forServer(serverCertificateStream,
+                        serverKeyInputStream)
+                    .trustManager(InsecureTrustManagerFactory.INSTANCE)
+                    .clientAuth(ClientAuth.NONE)
+                    .build();
             }
-        } catch (Exception e) {
-            log.error("grpc tls set failed. msg: {}, e:", e.getMessage(), e);
-            throw new RuntimeException("grpc tls set failed: " + e.getMessage());
         }
     }
 
@@ -135,15 +149,14 @@ public ProxyAndTlsProtocolHandler(GrpcHttp2ConnectionHandler grpcHandler) {
         @Override
         protected void decode(ChannelHandlerContext ctx, ByteBuf in, List<Object> out) {
             try {
-                ProtocolDetectionResult<HAProxyProtocolVersion> ha = HAProxyMessageDecoder.detectProtocol(
-                        in);
+                ProtocolDetectionResult<HAProxyProtocolVersion> ha = HAProxyMessageDecoder.detectProtocol(in);
                 if (ha.state() == ProtocolDetectionState.NEEDS_MORE_DATA) {
                     return;
                 }
                 if (ha.state() == ProtocolDetectionState.DETECTED) {
                     ctx.pipeline().addAfter(ctx.name(), HA_PROXY_DECODER, new HAProxyMessageDecoder())
-                            .addAfter(HA_PROXY_DECODER, HA_PROXY_HANDLER, new HAProxyMessageHandler())
-                            .addAfter(HA_PROXY_HANDLER, TLS_MODE_HANDLER, new TlsModeHandler(grpcHandler));
+                        .addAfter(HA_PROXY_DECODER, HA_PROXY_HANDLER, new HAProxyMessageHandler())
+                        .addAfter(HA_PROXY_HANDLER, TLS_MODE_HANDLER, new TlsModeHandler(grpcHandler));
                 } else {
                     ctx.pipeline().addAfter(ctx.name(), TLS_MODE_HANDLER, new TlsModeHandler(grpcHandler));
                 }
@@ -209,7 +222,7 @@ private void handleWithMessage(HAProxyMessage msg) {
                     msg.tlvs().forEach(tlv -> handleHAProxyTLV(tlv, builder));
                 }
                 pne = InternalProtocolNegotiationEvent
-                        .withAttributes(InternalProtocolNegotiationEvent.getDefault(), builder.build());
+                    .withAttributes(InternalProtocolNegotiationEvent.getDefault(), builder.build());
             } finally {
                 msg.release();
             }
@@ -244,9 +257,9 @@ private class TlsModeHandler extends ByteToMessageDecoder {
 
         public TlsModeHandler(GrpcHttp2ConnectionHandler grpcHandler) {
             this.ssl = InternalProtocolNegotiators.serverTls(sslContext)
-                    .newHandler(grpcHandler);
+                .newHandler(grpcHandler);
             this.plaintext = InternalProtocolNegotiators.serverPlaintext()
-                    .newHandler(grpcHandler);
+                .newHandler(grpcHandler);
         }
 
         @Override
@@ -258,7 +271,7 @@ protected void decode(ChannelHandlerContext ctx, ByteBuf in, List<Object> out) {
                 } else if (TlsMode.DISABLED.equals(tlsMode)) {
                     ctx.pipeline().addAfter(ctx.name(), null, this.plaintext);
                 } else {
-                    // in SslHandler.isEncrypted, it need at least 5 bytes to judge is encrypted or not
+                    // in SslHandler.isEncrypted, it needs at least 5 bytes to judge is encrypted or not
                     if (in.readableBytes() < SSL_RECORD_HEADER_LENGTH) {
                         return;
                     }

proxy/src/main/java/org/apache/rocketmq/proxy/remoting/MultiProtocolRemotingServer.java

@@ -68,9 +68,9 @@ public void loadSslContext() {
         if (tlsMode != TlsMode.DISABLED) {
             try {
                 sslContext = MultiProtocolTlsHelper.buildSslContext();
-                log.info("SSLContext created for server");
+                log.info("SslContext created for multi protocol remoting server");
             } catch (CertificateException | IOException e) {
-                throw new ProxyException(ProxyExceptionCode.INTERNAL_SERVER_ERROR, "Failed to create SSLContext for server", e);
+                throw new ProxyException(ProxyExceptionCode.INTERNAL_SERVER_ERROR, "Failed to create SslContext for server", e);
             }
         }
     }

proxy/src/main/java/org/apache/rocketmq/proxy/remoting/MultiProtocolTlsHelper.java

@@ -61,12 +61,12 @@ public static SslContext buildSslContext() throws IOException, CertificateExcept
             log.info("Using JDK SSL provider");
         }
 
-        SslContextBuilder sslContextBuilder = null;
+        SslContextBuilder sslContextBuilder;
         if (tlsTestModeEnable) {
             SelfSignedCertificate selfSignedCertificate = new SelfSignedCertificate();
             sslContextBuilder = SslContextBuilder
                 .forServer(selfSignedCertificate.certificate(), selfSignedCertificate.privateKey())
-                .sslProvider(SslProvider.OPENSSL)
+                .sslProvider(provider)
                 .clientAuth(ClientAuth.OPTIONAL);
         } else {
             sslContextBuilder = SslContextBuilder.forServer(

proxy/src/main/java/org/apache/rocketmq/proxy/remoting/RemotingProtocolServer.java

@@ -46,6 +46,7 @@
 import org.apache.rocketmq.proxy.remoting.pipeline.AuthorizationPipeline;
 import org.apache.rocketmq.proxy.remoting.pipeline.ContextInitPipeline;
 import org.apache.rocketmq.proxy.remoting.pipeline.RequestPipeline;
+import org.apache.rocketmq.proxy.service.cert.TlsCertificateManager;
 import org.apache.rocketmq.remoting.ChannelEventListener;
 import org.apache.rocketmq.remoting.InvokeCallback;
 import org.apache.rocketmq.remoting.RemotingServer;
@@ -88,8 +89,11 @@ public class RemotingProtocolServer implements StartAndShutdown, RemotingProxyOu
     protected final ThreadPoolExecutor topicRouteExecutor;
     protected final ThreadPoolExecutor defaultExecutor;
     protected final ScheduledExecutorService timerExecutor;
+    protected final TlsCertificateManager tlsCertificateManager;
+    protected final RemotingTlsReloadHandler tlsReloadHandler;
 
-    public RemotingProtocolServer(MessagingProcessor messagingProcessor) {
+
+    public RemotingProtocolServer(MessagingProcessor messagingProcessor, TlsCertificateManager tlsCertificateManager) throws Exception {
         this.messagingProcessor = messagingProcessor;
         this.remotingChannelManager = new RemotingChannelManager(this, messagingProcessor.getProxyRelayService());
 
@@ -114,6 +118,8 @@ public RemotingProtocolServer(MessagingProcessor messagingProcessor) {
         System.setProperty(TlsSystemConfig.TLS_SERVER_CERTPATH, config.getTlsCertPath());
         TlsSystemConfig.tlsServerKeyPath = config.getTlsKeyPath();
         System.setProperty(TlsSystemConfig.TLS_SERVER_KEYPATH, config.getTlsKeyPath());
+        this.tlsCertificateManager = tlsCertificateManager;
+        this.tlsReloadHandler = new RemotingTlsReloadHandler();
 
         this.clientHousekeepingService = new ClientHousekeepingService(this.clientManagerActivity);
 
@@ -191,6 +197,16 @@ public RemotingProtocolServer(MessagingProcessor messagingProcessor) {
         this.registerRemotingServer(this.defaultRemotingServer);
     }
 
+    protected class RemotingTlsReloadHandler implements TlsCertificateManager.TlsContextReloadListener {
+        @Override
+        public void onTlsContextReload() {
+            if (defaultRemotingServer instanceof NettyRemotingServer) {
+                ((NettyRemotingServer) defaultRemotingServer).loadSslContext();
+                log.info("SslContext reloaded for remoting server");
+            }
+        }
+    }
+
     protected void registerRemotingServer(RemotingServer remotingServer) {
         remotingServer.registerProcessor(RequestCode.SEND_MESSAGE, sendMessageActivity, this.sendMessageExecutor);
         remotingServer.registerProcessor(RequestCode.SEND_MESSAGE_V2, sendMessageActivity, this.sendMessageExecutor);
@@ -226,6 +242,9 @@ protected void registerRemotingServer(RemotingServer remotingServer) {
 
     @Override
     public void shutdown() throws Exception {
+        // Unregister the TLS context reload handler
+        tlsCertificateManager.unregisterReloadListener(this.tlsReloadHandler);
+
         this.defaultRemotingServer.shutdown();
         this.remotingChannelManager.shutdown();
         this.sendMessageExecutor.shutdown();
@@ -238,6 +257,9 @@ public void shutdown() throws Exception {
 
     @Override
     public void start() throws Exception {
+        // Register the TLS context reload handler
+        tlsCertificateManager.registerReloadListener(this.tlsReloadHandler);
+
         this.remotingChannelManager.start();
         this.defaultRemotingServer.start();
     }