fabric icon indicating copy to clipboard operation
fabric copied to clipboard
verified publisher icon hyperledger

fabhttp endpoint will need to restart on certificate renewals

Open mrshah-at-ibm opened this issue 3 years ago • 3 comments

fabhttp server loads static TLS certificates in the server here. This will require restart of the server when the certificates are renewed or replaced.

It will be better if the certificates are loaded dynamically as they are loaded in grpc server here to not require a restart.

mrshah-at-ibm avatar Jun 08 '22 18:06 mrshah-at-ibm

But Fabric cannot dynamically update a TLS certificate anyway... there is no API for that.

yacovm avatar Jun 12 '22 10:06 yacovm

if fabric is running in kubernetes and the secret containing the certificate is updated, grpcserver can pick up the new certificate without any restarts needed.

if fabric is running outside of kubernetes and the file with the certificate is updated with new certificate, gpcserver can pick up the new certificate without any need of restarting the server.

mrshah-at-ibm avatar Jun 13 '22 11:06 mrshah-at-ibm

I'm pretty sure the file is loaded only at startup... and not upon every TLS handshake.

yacovm avatar Jun 14 '22 06:06 yacovm