New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow graceful TLS key rotation #13
Comments
Why do you care about certificate reload? paid certifcate are valid for years. |
Mathieu Lecarme <notifications@github.com> writes:
`GetCertificate` method, for just in time certificate read will only be used for new connections. Websocket will keep the connection opened for a long time.
Why do you care about certificate reload? paid certifcate are valid for years.
If you choose to use LE, using a proxy like Traefik or Caddy (and
sharing web with other applications) will be more simple.
But if you're *not* sharing the IP with other applications, that just
means another service to configure...
Integrating lego lib in galene is more robust than cron+certbot+kill
-HUP.
Why would that be more robust?
|
Using a complete HTTP server for handling multihosting, throtlling, bot ban … is just a standard. Few call it ingress.
that just means another service to configure, and a cron to miss. |
Galène is meant to work both behind a reverse proxy and directly exposed to the Internet. This is not open to discussion. |
Sure, the discussion was more about lego integration (inside) vs certbot integration (outside). |
Fixed in b1babf5. |
This was initially reported by @tohojo.
Galène will automatically pick up any changes to its configuration files. It will not pick up a change to the TLS keys — the only way to rotate keys is to restart the server.
I can see two ways of doing graceful key rotation. The simple one is to stop the TLS listener and then start a new one; this will involve a couple of seconds of downtime, but will not interrupt currently connected users. The other one would be mutate the TLS configuration of the current listener (see
(*tls.Certificate).GetCertificate
), as is done by the letsencrypt library.The text was updated successfully, but these errors were encountered: