Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Support reloading certificates #505
It's good security practice to regularly roll certificates. Currently, the process (client or server) would need to restart to pick up the new certificate. It would be a lot better to watch the files and reload them if appropriate.
We should take care to not fail if the certificate and key files are not updated at exactly the same time, as they likely won't be.
FWIW, the way Nginx handles this is that if a the main process is sent
Generally, on Linux, this is pretty easy to setup using
Then, any automated renewal script, or manual administration, can do it atomically when they know the certificates are valid. This is how most letsencrypt.org/nginx integrations work, for example; they trigger the init system to send a reload signal once every 30-60 days (to comfortably avoid the 90 day window)