#1346 TLS certificates not updated on config+modules reload

Reporter ge0rg
Owner Nobody
Created
Updated
Stars ★ (1)
Tags
  • Status-NeedInfo
  • Type-Defect
  • Priority-Medium
  1. ge0rg on

    I'm running a prosody setup with net_multiplex (among others) and certificates by LetsEncrypt. After refreshing the certificate files, I run the following: nc localhost 5582 <<EOF config:reload() module:reload("tls") module:reload("http") module:reload "net_multiplex" exit EOF However, after that, the old certificates are still served from the server. Only after re-issuing the reload command twice (IIRC only reloading mod_tls is sufficient, but it's been a while), the new certificate will be served.

  2. Zash on

    Thanks for the report. What version of Prosody did you have?

    Changes
    • tags Status-NeedInfo
  3. ge0rg on

    This was happening with 0.10 nightlies typically some months old. Haven't had a LE rollover yet on 0.11, will try to think of commenting here when it happens.

  4. ge0rg on

    Running Prosody version 0.11 nightly build 39 (2019-03-22, 68faa0c1a99c) on Linux with certificates on different host:port combos. After config:reload() - no cert updates After second config:reload() - certificate on XMPP endpoints (c2s, s2s) is updated module:reload("tls") - no changes after first or second call module:reload("http") - certificate on :5281 updated Second module:reload("http") - no further changes module:reload("net_multiplex") - certificates on all :443 endpoints updated Now all certs are updated!

  5. Heather Young on

    this is happening on our instance running in Docker. we manage certs in a mounted volume. I can confirm updated/correct certificate is loaded at /etc/prosody/certs/<domain>.crt. We send SIGHUP to the process and get the following logs mod_posix info Received SIGHUP startup info Reloading configuration file <domain>.com:tls info Certificates reloaded but then loading the HTTPS endpoint on 5281 certificate is not updated. What else do we need to do?

New comment

Not published. Used for spam prevention and optional update notifications.