On-demand TLS renewal

(Dali Licul) #1


I have a internal certificate service which is not LetsEncrypt nor it is using ACME protocol.

During startup I download the certs and place them into .certs directory which works well via tls load .certs. However, what is the correct way to renew these certificates without instance restart?

Currently, I decode cert expiration date and right before the cert expires I download new certs into .certs directory and then make a call to instance.restart()

FYI I’m using my own plugin directive which installs the certs and it is registered before tls directive. Looking for a way to just make a call to some function which would reload the certs from .certs directory or even better allow me to update certs via inst.Storage[CertCacheInstStorageKey].(*certificateCache).


(Matt Holt) #2

Restarting is the correct way to install renewed certificates that aren’t managed by Caddy. The only thing I would recommend is renewing well before expiration in case there are any problems! :slight_smile:

(Dali Licul) #3

Thanks Matt,

Do caddy managed certificate renewals also trigger restart? If not, would it not be helpful to expose a way to tap into that flow? I guess I’m trying to find out what would be the concern if cached certs were replaced with new ones and a public method to do that was exposed to developers who import caddy package?

(Matt Holt) #4

Can you explain your motivation more? What do you have against reloading?

(Dali Licul) #5

My concern against full reloading is what happens to existing open connections on restart? Does caddy drain all existing connections first before redirecting traffic to newly created instance and only then it tears down the old instance?

And is there any other downtime to be concerned with?

(Matt Holt) #6

No, reloads are graceful and incur zero downtime: https://caddyserver.com/docs/cli#usr1

(Dali Licul) #7

Excellent! Thank you for confirming and I was able to test it via a long running request during a restart.