[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [mosquitto-dev] Client certificate expiration handling
|
> > I'd like to ask how the certificates and its expiration is handled in
> > mosquitto.
> >
> > Does the mosquitto watch changes on certificate files defined in mosquitto.
> > config?
> >
> > How are the cert files handled by mosquitto? Are they loaded to the memory
> > at the start of mosquitto and the physical files are not considered any
> > longer (until the mosquitto is restarted)?
>
> That is my impression.
>
> I find that when a cert is renewed, mosquitto must be restarted.
>
> > What will happened to running client on 15/1/2000? Does he stop getting data
> > (since he is using expired certs)?
>
> It would arguably correct for the *client* to close the connection to
> the server at the expiration of the cert used to authenticate it, but I
> haven't seen this happen.
>
> My experience is that mosquitto continues using the old cert, even if
> the new one has been in the filesystem for weeks. Connections that are
> open stay open, and new connections fail. Then I restart mosquitto and
> all is ok.
>
> > Do I need to restart mosquitto, so the new certificates are considered?
>
> Please do the experiment and report your results.
I have similar observation, but I do a 'kill -HUP' to reload.
I do this once a week, to avoid the let's-encrypt certificates to expire
without mosquitto knowing.
>
>
> It would be nice if mosquitto checked the cert file often enough for
> this to work and re-read it. postfix seems to do this. Many other
> programs do not.
>
> Options could include:
>
> stat certfile on every TLS negotiation
>
> stat certfile hourly
>
> something more complicated, like stat on TLS negotiation unless it was
> checked within the last hour, but stat is pretty cheap
Kurt