Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS certificate and key should be able to be replaced at runtime #491

Closed
jclulow opened this issue Nov 24, 2022 · 0 comments · Fixed by #502
Closed

TLS certificate and key should be able to be replaced at runtime #491

jclulow opened this issue Nov 24, 2022 · 0 comments · Fixed by #502
Assignees
@smklein

Comments

@jclulow
Copy link
Collaborator

jclulow commented Nov 24, 2022

At present, the private key and certificate for TLS must be provided once at startup of the server. Short-lived certificates are becoming increasingly common; Let's Encrypt certificates are valid for 90 days, but it is recommended to renew them more often than that (e.g., every 30-60 days) to avoid issues around the expiry period.

Certificates also need to be re-issued if more alternative names are added to a non-wildcard certificate.

It would be good if dropshot::HttpServer provided a routine for installing new certificates, probably by passing a new dropshot::ConfigTls. (see #490 for why it should not just be a pair of PathBuf arguments.)
@smklein smklein self-assigned this Dec 6, 2022
smklein added a commit that referenced this issue Dec 6, 2022
@smklein
[tls] Allow refreshing TLS configuration information at runtime
ef0c01a 
Fixes #491
@smklein smklein mentioned this issue Dec 6, 2022
Merged
smklein added a commit that referenced this issue Dec 14, 2022
@smklein
[tls] Allow refreshing TLS configuration information at runtime (#502)
94967b8 
Adds a `refresh_tls` method to `HttpServer`, which allows TLS information to be updated for a running server.

Fixes #491
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@smklein smklein

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[tls] Allow refreshing TLS configuration information at runtime oxidecomputer/dropshot
2 participants
@jclulow @smklein