Reload controller to pick up new certs?

Is there a concept/process for restarting the controller or reloading it to pick up a new cert?

Assuming you’re not using a self signed cert, and you have shorter lifetimes than a year we need to be able to rotate the cert quite often and restarting the service seems rather extreme?

There has been internal work to support such features in a generic capacity in shared libraries, but it hasn’t surfaced in all places. It would only support file:<path> configurations in its current form. Hardware-backed storage would need its own engine-backed implementation that has not been investigated. Additionally, mutating <pem>:<pem-cert/pem-key> is not currently supported. The goal was mainly aimed at routers and alternative server certificates. There are caveats and sharp edges to what you are asking about. I have a few questions if you don’t mind:

  1. Are you rotating the server_cert, cert, and/or alt_server_certs (defined here)
  2. Are you looking to rotate the edge signing certificate?
  3. Are you additionally changing the root or intermediate CAs?
  4. Are you changing the paths the config points to or simply altering the file contents that the config points to?
  1. Rotating the server_cert/cert (they are the same in our case).
  2. No, we have that with a long lifetime.
  3. Nope
  4. Nope, just recreating/writing the existing cert/key file.

Any updates on this?

Sorry @pixitha … Holiday season and it’s easy to miss following up… @andrew.martinez is out at least till tomorrow. Thanks for the bump. I’ll try to grab his attention on this one too.

FWIW, the process of restarting routers and controller is “very fast” so most likely, humans would never even notice a restart blip. That said, it’d certainly be friendly if the server just recognized the certs change and reloaded 'em.

No worries, I had forgotten about this issue until the cert expired again. Yeah right now we are just restarting the controller by hand as needed.

Any updates from @andrew.martinez ?