-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL Certificate renewal #70
Comments
I have added instructions to LetSWICrypt that describe how to renew the certificate without root permissions, please have a look. Simply set up a cron job (as a regular user) that renews the certificate if necessary, and restart your server to load the new certificate. This leads to a short downtime every 2 months or so. Note also that you can use In 7.5., I may work on exchanging certificate and key for a running SSL server. |
The new Pending comments from OpenSSL developers whether this is an officially supported way to update the certificate: openssl/openssl#2147. If this works as intended, then we only need a hook that provides access to the SSL context of an HTTPS server. Given the context, we can easily update the certificates. Such a hook is necessary in any case, to add further certificates etc., as discussed in #77. |
All of this is solved in SWI-Prolog/packages-ssl#87, please try it out! |
This is possible as of SWI-Prolog 7.3.34, and documented in the new section: You can use the predicates of Remarkably, this can all be implemented in a thread-safe way in SWI-Prolog, although the underlying OpenSSL library is not thread-safe for this use case! |
Just setup a server using LetsEncrypt! Thanks to https://github.com/triska/letswicrypt that wasn't too hard. LetsEncrypt! certificates expire quickly though. Setting up automatic renewal of the certificates themselves isn't too hard, but how to update a (long) running server?
Ideally it would check the modification times of the certifications, but it can't because the LetsEncrypt! certificates are only readable by root and the server long lost the privileges to read them. I see two ways out:
chain are world readable (which is fine AFAIK as long as the private key is encrypted), it should
be possible to update the SSL context used by the server without restart.
time the day before.
The text was updated successfully, but these errors were encountered: