Re-reading an updated password-file in `step-ca` on SIGHUP

[casdevs]

Subject of the issue

I'm not 100% sure, but could it be that step-ca does not read a (potentially updated) private key password from the file given via the --password-file option on startup again if it reloads?

We've replaced certs and keys as described in https://smallstep.com/docs/tutorials/intermediate-ca-new-ca#the-secure-way (using a new private key secured with a new password), updated the password in the password-file and then just did a kill SIGHUP to have step-ca reload its config.

We then got an error

error reloading server: x509: decryption password incorrect

from the step-ca daemon.

Your environment

• OS - docker image
• Version - latest version

Steps to reproduce

• update private key password
• update password stored in password-file
• issue kill SIGHUP to reload step-ca

Expected behaviour

step-ca correctly loads the new key and uses the new key password

Actual behaviour

step-ca throws with

error reloading server: x509: decryption password incorrect

[dopey]

@casdevs thanks for opening the issue/bug!

Note to us -- remember to handle:

• temp file <() process substitution
• if the file no longer exists go back to the old password

[dopey]

Also check whether we re-read the private key / certs.

[dopey]

Also check if bash process substitution works with SIGHUP