Project

General

Profile

Bug #1397

SSL Cert+Key not reloaded on systemd "reload" action

Added by bongo almost 6 years ago. Updated over 5 years ago.

Status:
New
Priority:
High
Assignee:
-
Category:
-
Target version:
-
Start date:
02/04/2016
Due date:
% Done:

0%

Estimated time:
Version:
0.10.0
OS:
Linux

Description

I am using https://github.com/hlandau/acme to renew my let's encrypt certificates.
This script does systemctl reload $name.service on each configured service.

Quasselcore does not re-read the given quasselCert.pem and therefore fails to establish a valid secure connection to the clients.

This action should not require restarting the service and is common to work with all webservers, load balancers etc.

History

#1 Updated by bongo almost 6 years ago

Steps to reproduce:

  1. stop quasselcore
  2. (re)move /var/lib/quasselcore/quasselCert.pem
  3. start quasselcore
  4. connect with client => "core does not support SSL" warning appears
  5. reload quasselcore
  6. connect with client => "core does not support SSL" warning STILL appears

#2 Updated by TC01 almost 6 years ago

bongo wrote:

I am using https://github.com/hlandau/acme to renew my let's encrypt certificates.
This script does systemctl reload $name.service on each configured service.

Quasselcore does not re-read the given quasselCert.pem and therefore fails to establish a valid secure connection to the clients.

This action should not require restarting the service and is common to work with all webservers, load balancers etc.

FYI: quassel upstream doesn't ship a systemd service file. I think, anyway.

Having said that, you're absolutely right that it should be possible to tell quassel to re-read the SSL cert without restarting it. However, I'm not sure how possible this is at the moment without implementing some kind of management interface for the core.

#3 Updated by bongo almost 6 years ago

@TC01: Debian 8 or systemd has some type of compatibility layer making it possible to still use sysv scripts though it's not appreciated.

#4 Updated by digitalcircuit over 5 years ago

Quassel now supports reloading SSL certificates via kill -SIGHUP $QUASSEL_PID in the latest git master code (commit hash 25a3ae50ac0d9835283e4f5f10fcfcc10ed5575d). See merged pull request #208 for more details: https://github.com/quassel/quassel/pull/208

Quassel's init script will need changed to use this command in order to support reloading via service quasselcore reload or whatnot.

Also available in: Atom PDF