X.509 certificate reloading #119
Comments
Here we need, also to get rid of the combined pem file containing: If we got that, we can just let the jabber world point to the |
I am using letsencrypt cert in my deployments. |
For sure you can doit in that way. So why not add this common pattern to jabberd2 cheers meno
|
I am using letsencrypt cert in my deployments.
The script launched after refreshing the certificate first merges the files,
ant then reloads jabberd. Genius!
Does it mean that jabberd is able to reload certificates without a
restart (simply on SIGHUP), or do you mean "restart" by "reload"?
I don't quite remember how I've checked it before creating this issue
report, but chances are that I've tried it, and it didn't work with
jabberd version <= 2.4.0 (the one that was in centos epel repository at
the time).
|
@defanor ATM the only way to reload is to restart. But the concept stays, thus this issue I assume. :) |
would be great if we could get "zero downtime" ssl cert reloads |
It would be nice to be able to reload X.509 certificates without
restarting jabberd.
The "Let's Encrypt" certificate authority seems to be getting more
popular, and it is quite handy, but it only issues 90-day
certificates, making the issue with reloading worse; though even with
1-year certificates, it would be better to avoid unnecessary restarts.
For a routine update (and not when a key gets compromised – then a
restart would do), I think it would be nice to begin handling new
connections with a new certificate, without disconnecting the
connected clients at once; notify the ones that didn't reconnect by
themselves after some (configurable, preferably) period of time, and
disconnect them after some more time.
P.S. Both TLS and X.509 are called "SSL" in the configuration files;
might be nice to fix that as well.
The text was updated successfully, but these errors were encountered: