Ejabberd: Support reloading TLS certificate file

Created on 8 May 2016  路  8Comments  路  Source: processone/ejabberd

Let's Encrypt certificates expire after 90 days, there needs to be a command to reload the certificate without having to restart the server.

picture nomis
👍1

Most helpful comment

How long to verify that the certificate has been replaced?

It should be auto-reloaded immediately.

I did this now, and still continues with the expired certificate.

WIth recent ejabberd versions, you might have to call ejabberdctl reload-config after replacing the certificate (if you're on Linux and don't have inotifywait installed, or if you're e.g. on a BSD).

picture weiss on 15 Dec 2017
👍2

All 8 comments

ejabberd reloads the certificate automatically if the modification time of the PEM file changes.

weiss picture weiss on 9 May 2016
👍2

@weiss Could you say more about how that feature works, e.g. where exactly the check is done? It's not exactly easy to find any information about it.

Edit, found it: the fast_tls library checks this whenever tcp_to_tls() is called.

ghost picture ghost on 29 Aug 2016
👍1

@weiss How long to verify that the certificate has been replaced? I did this now, and still continues with the expired certificate.

dioobr picture dioobr on 15 Dec 2017

How long to verify that the certificate has been replaced?

It should be auto-reloaded immediately.

I did this now, and still continues with the expired certificate.

WIth recent ejabberd versions, you might have to call ejabberdctl reload-config after replacing the certificate (if you're on Linux and don't have inotifywait installed, or if you're e.g. on a BSD).

weiss picture weiss on 15 Dec 2017
👍2

I've attempted to refresh certificates using: ejabberdctl reload-config
However with 18.09 this has no effect if a directory is used in config.

paradisaeidae picture paradisaeidae on 6 Dec 2018

However with 18.09 this has no effect if a directory is used in config.

What do you mean? Show your certfiles section.

zinid picture zinid on 6 Dec 2018 
certfiles:
  - "/aDirectory/path/to/somewhere/*"

This is very early in my config. Line 21.
It has been very effective as I do not have to nominate individual certs anywhere else.

paradisaeidae picture paradisaeidae on 6 Dec 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 7 Dec 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

lucastimotiofirmino picture lucastimotiofirmino  路  3Comments
pacija picture pacija  路  4Comments
shazvan275 picture shazvan275  路  3Comments
ForGuru picture ForGuru  路  4Comments
lgg picture lgg  路  4Comments