ejabberd icon indicating copy to clipboard operation
ejabberd copied to clipboard

Published 20 hours ago verified publisher icon processone

Certificate is not loaded after config reload

Open marek-mbiel opened this issue 2 years ago • 3 comments

Before creating a ticket, please consider if this should fit the discussion forum better.

Environment

  • ejabberd version: 23.01
  • Erlang version: Erlang (SMP,ASYNC_THREADS) (BEAM) emulator version 12.3.1
  • OS: Red Hat Enterprise Linux 8.5
  • Installed from: official rpm

Bug description

Reload of certificate from valid to invalid seems not working.

  1. I have configured certfile: "/opt/ejabberd/conf/lx-rec-fss-01-ejabberd.pem" where pem file was issued for different host -> Ejabberd was started with this config and behavior is OK. Service is running and when reaching Admin UI then secure connection is not established "NET::ERR_CERT_COMMON_NAME_INVALID"
  2. Changed certificate "/opt/ejabberd/conf/lx-rec-fss-01-ejabberd.pem" to the correct one (rename invalid cert to different name and rename proper cert tolx-rec-fss-01-ejabberd.pem ) ->Config was reloaded and new valid cert is accepted. When reaching Admin UI then secure connection is established.
  3. Changed certificate again to invalid one and reload config. -> No impact, ejabberd is still using cert from step 2 ejabberd.zip

I expect that once cert is updated although to wrong one, this one is used and not previous cached one.

Thank you. BR, Marek

marek-mbiel avatar Mar 08 '23 16:03 marek-mbiel

In step 3, did you close and reopen the webrowser? Do XMPP clients in step 3 receive the certificate from step 2?

badlop avatar Mar 21 '23 16:03 badlop

@badlop Yes, I reopened browser (I also tried it in incognito window, but same result). Yes, clients received valid cert from step 2 (although already configured invalid cert from step 1).

marek-mbiel avatar Mar 22 '23 11:03 marek-mbiel

I see. I get ejabberd using a valid certificate, then copy an expired certificate, and running ejabberdctl reload_config shows in the log:

2023-03-22 17:00:05.167789+01:00 [warning]
 Invalid certificate in
 /home/badlop/git/ejabberd/_build/relive/conf/cert.pem:
 at line 1: certificate is no longer valid as its expiration date has passed
2023-03-22 17:00:05.168572+01:00 [warning]
 Certificate in /home/badlop/git/ejabberd/_build/relive/conf/cert.pem (at line: 1)
 for localhost is expired

That new certificate isn't loaded, the old one is still being used.

This seems a feature that doesn't let distracted admins load expired certificates. However, you consider it a problem, because you are confident you want to load the new certificate...

badlop avatar Mar 22 '23 16:03 badlop