Allow graceful TLS key rotation #13
Comments
|
Why do you care about certificate reload? paid certifcate are valid for years. |
|
Mathieu Lecarme <notifications@github.com> writes:
`GetCertificate` method, for just in time certificate read will only be used for new connections. Websocket will keep the connection opened for a long time.
Why do you care about certificate reload? paid certifcate are valid for years.
If you choose to use LE, using a proxy like Traefik or Caddy (and
sharing web with other applications) will be more simple.
But if you're *not* sharing the IP with other applications, that just
means another service to configure...
Integrating lego lib in galene is more robust than cron+certbot+kill
-HUP.
Why would that be more robust?
|
Using a complete HTTP server for handling multihosting, throtlling, bot ban … is just a standard. Few call it ingress.
that just means another service to configure, and a cron to miss. |
|
Galène is meant to work both behind a reverse proxy and directly exposed to the Internet. This is not open to discussion. |
|
Sure, the discussion was more about lego integration (inside) vs certbot integration (outside). |
|
Fixed in b1babf5. |
This was initially reported by @tohojo.
Galène will automatically pick up any changes to its configuration files. It will not pick up a change to the TLS keys — the only way to rotate keys is to restart the server.
I can see two ways of doing graceful key rotation. The simple one is to stop the TLS listener and then start a new one; this will involve a couple of seconds of downtime, but will not interrupt currently connected users. The other one would be mutate the TLS configuration of the current listener (see
(*tls.Certificate).GetCertificate), as is done by the letsencrypt library.The text was updated successfully, but these errors were encountered: