-
-
Notifications
You must be signed in to change notification settings - Fork 214
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Blocky does not pick up the new certificate #1625
Comments
If using Blocky in the Docker, you can use the restarter sidecar like:
|
I'm running blocky as a systemd service. I guess I can add a similar cron job that periodically restarts blocky systemd service. It seems like hassle, especially when other software dealing with SSL certificates (e.g. nginx) are able to use the up to date TLS certificates. |
Certificate reloading is generally a pain in non cloud-native environment. Relying on cronjob is not sexy. Try considering systemd timers. |
Can you clarify why certificate reloading is pain? Quick search shows that the pattern of dynamically reloading SSL certificate is quite common:
The patch would require making sure that the certificate is loaded only when the file gets modified. blocky codebase already indirectly depends on fsnotify:
|
It's a pain for ops, not developers. So thanks for the cloud-native environment. |
for systemd its much easier than docker. you can use inotify or systemd.path to monitor file changes https://www.freedesktop.org/software/systemd/man/latest/systemd.path.html for those running blocky on docker instead of systemd, you can even use systemd.path to restart the docker service when the file changes on disk |
Is there a way to get blocky to pick up renewed certificate?
My blocky instance has run for roughly 3 months and the original letsencrypt SSL certificate expired. Blocky did not picked up the renewed certificate, becoming unavailable when serving DNS-over-TLS:
Blocky reports the old certificate expiry
After I restarted blocky:
which matches the certificate expiry date:
Could blocky automatically pick up new certificates with long expiry date?
blocky's configuration:
The text was updated successfully, but these errors were encountered: