chproxy icon indicating copy to clipboard operation
chproxy copied to clipboard

Published 20 hours ago verified publisher icon ContentSquare

SIGHUP does not refresh TLS certificate

Open paulchoi opened this issue 3 years ago • 2 comments

Should issuing SIGHUP to chproxy cause it to reload the TLS certificate? The TLS cert served by chproxy is still the old one.

I am not using letsencrypt, but my infrastructure is able to provide short-lived TLS certificates that refresh every week.

server:
  http:
    listen_addr: ":9090"
  https:
    listen_addr: ":443"
    cert_file: /config/chain.pem
    key_file: /config/private.pem

paulchoi avatar Jul 27 '22 22:07 paulchoi

I did check the code and indeed it doesn't reload the TLS certificate since the part with the certificate is done at startup after the first load of the conf and not after each reload. I can't say if we will fix this behavior because it might be more complex than expected. To be more precise, I don't know if with the current code, reloading the TLS certificate might cancel the ongoing queries, and if it's the case it would require a bigger refactoring that we won't do in a near future.

mga-chka avatar Aug 01 '22 12:08 mga-chka

Thanks for the clarification. I understand that it would not be trivial to implement something like this.

I think some kind of note in the documentation might be good.

paulchoi avatar Aug 12 '22 23:08 paulchoi

FYI the following PR https://github.com/ContentSquare/chproxy/pull/215 will add more description on the documentation on the pb you faced. Once it's merge I'll close this PR (unless you think the description added is not enough)

mga-chka avatar Aug 29 '22 19:08 mga-chka

The PR was merged

mga-chka avatar Aug 31 '22 06:08 mga-chka