gunicorn icon indicating copy to clipboard operation
gunicorn copied to clipboard

Published 20 hours ago verified publisher icon benoitc

[Question] TLS certificate rotation

Open t-yrka opened this issue 10 months ago • 1 comments

What is the recommended way of performing TLS certificate rotation with gunicorn?

Based on https://github.com/benoitc/gunicorn/blob/master/gunicorn/sock.py#L219 it seems (by default) the certificate is picked up on each request, so the gunicorn should automatically use the newest one available (and it works fine based on my testing). But I've not found this mentioned anywhere in the docs - is it an undocumented feature(?), or we shouldn't rely on this?

I was going to use the HUP signal to reload the workers, but it seems redundant when the certificates are not pre-loaded.

t-yrka avatar Apr 08 '24 16:04 t-yrka

@benoitc Hello. I'm also interested in this topic. Could you take a look at this question? :D

chadr123 avatar Jun 12 '24 06:06 chadr123

certificates are not cached yet. If in the future it will this will be documented. I think it's safe anyway to force that reload when you rotate SSL certificates so you make sure that future changes are covered.

benoitc avatar Aug 06 '24 16:08 benoitc