Hot reload of certificates

Hi,

is it currently necessary to restart the controller if the public alternative certificate is renewed? We didn’t find a way yet to renew our Let’s Encrypt certs except for restarting the Ziti Controller? Is there a way to “gracefully” restart so that the connections aren’t just cut, but all entities expect the controller to go down and back up again?

Thanks

Dominik

That's a good question. I am sure the normal fields of the identity block are watched for changes, but I'm not sure if the alt certs are. I'll ask @andrew.martinez to have a look and comment. He knows that section of ziti best.

Can you confirm which version of the controller you are on?

In the most recent versions, as long as the cert/key, server cert/key, alter server cert/key are a file, they should be watched. There are warning messages output if they cannot be for some reason on controller startup.

Once I have you version I can confirm if this is the same behavior in the version you are running. I know within the last year or so this was enabled for alt server certs/keys and there were some platform specific bugs (I believe in linux).

I was running v1.5.4 when the issue occurred. Now upgraded to v1.6.8 which probably means that the hot reload works? Will test, thanks