Bug #1397
SSL Cert+Key not reloaded on systemd "reload" action
0%
Description
I am using https://github.com/hlandau/acme to renew my let's encrypt certificates.
This script does systemctl reload $name.service on each configured service.
Quasselcore does not re-read the given quasselCert.pem and therefore fails to establish a valid secure connection to the clients.
This action should not require restarting the service and is common to work with all webservers, load balancers etc.
History
#1 Updated by bongo almost 9 years ago
Steps to reproduce:
- stop quasselcore
- (re)move /var/lib/quasselcore/quasselCert.pem
- start quasselcore
- connect with client => "core does not support SSL" warning appears
- reload quasselcore
- connect with client => "core does not support SSL" warning STILL appears
#2 Updated by TC01 almost 9 years ago
bongo wrote:
I am using https://github.com/hlandau/acme to renew my let's encrypt certificates.
This script does systemctl reload $name.service on each configured service.Quasselcore does not re-read the given quasselCert.pem and therefore fails to establish a valid secure connection to the clients.
This action should not require restarting the service and is common to work with all webservers, load balancers etc.
FYI: quassel upstream doesn't ship a systemd service file. I think, anyway.
Having said that, you're absolutely right that it should be possible to tell quassel to re-read the SSL cert without restarting it. However, I'm not sure how possible this is at the moment without implementing some kind of management interface for the core.
#3 Updated by bongo almost 9 years ago
@TC01: Debian 8 or systemd has some type of compatibility layer making it possible to still use sysv scripts though it's not appreciated.
#4 Updated by digitalcircuit over 8 years ago
Quassel now supports reloading SSL certificates via kill -SIGHUP $QUASSEL_PID
in the latest git master code (commit hash 25a3ae50ac0d9835283e4f5f10fcfcc10ed5575d). See merged pull request #208 for more details: https://github.com/quassel/quassel/pull/208
Quassel's init script will need changed to use this command in order to support reloading via service quasselcore reload
or whatnot.