Update TLS certificates in running server #409
Comments
|
I offer a $100 bounty for this: https://www.bountysource.com/issues/103418479-update-tls-certificates-in-running-server |
|
Not in conduit (since I don't understand it too well), neither in cohttp -- but such a mechanism is available e.g. in unipi: https://github.com/roburio/unipi/blob/9b4a3f8650e22dcf6b5a7b51a14dd8938eef2129/unikernel.ml#L188-L237 -- the same approach being used in dns-resolver https://git.robur.io/robur/dns-resolver/src/commit/e3e58547eaa63553b0680ae15cfb84632989384b/unikernel.ml#L21-L39 (though here, dns-certify.mirage is used to grab the certificate via dns, with OCaml-DNS running the authoritative nameservers and https://github.com/roburio/dns-letsencrypt-secondary being responsible for LE provisioning -- notably tlstunnel does the same https://github.com/roburio/tlstunnel/blob/23a22f8702b4d1519b7f8f73bebe9582d63aeedb/unikernel.ml#L304-L340). |
|
not sure about the use case, but I recommend to give unipi a try: data in a git remote, uses http/af, let's encrypt provisioning builtin. clear separation from code (unikernel) and data to server (git remote). |
|
I understand, though I have working, well-worn code based on Cohttp already that I'd rather continue to use. |
I would like to advise you to give a try on
Then, it is able to use Finally, I'm looking forward about a PR on EDIT: Plus it seems clear that |
Is there a way to do this at present?
It introduces some operational risk to do an unattended server restart just to freshen the server certificates. With ACME/Lets Encrypt it needs to be done every 60 days, so, it's not completely negligible.
The text was updated successfully, but these errors were encountered: