Fix server cert reload #8030
Merged
Fix server cert reload #8030
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
shinrich
force-pushed
the
fix-server-cert-reload
branch
from
8485b7e to
b7f6fa8
Compare
|
[approve ci autest] |
randall
approved these changes
Jul 2, 2021
moonchen
pushed a commit
to moonchen/trafficserver
that referenced
this pull request
Mar 7, 2022
* asf/master: (763 commits) rate_limit: Add a global hook to rate limit concurrent connections based on SNI (apache#8021) Fix uri_signing unit test for out of source builds (apache#8040) tests: Add conditions for BoringSSL and OpenSSL (apache#8045) change debug tags and make sure sni is printed on certain logs (apache#7673) Doc build in CI: build English docs with -W (apache#8039) When loading async SSL configuration file fails, log SSL error (apache#8036) Doc build: treat warnings as errors only by default (apache#8038) For test async_engine, export all symbols (apache#8037) Fix the server cert reload (apache#8030) Treat Sphinx doc build warnings as errors. (apache#8033) Stablize trace curl test in good_request_after_bad (apache#8032) Doc: Update documentation to build cleanly in Sphinx 3. Require Sphinx 3 or better. (apache#7978) Docs: Fix pre-formatting for ratelimit plugin (apache#7986) Make it slightly harder to dump private keys to logs (apache#8029) tls_bad_alpn: Add an openssl version skip check (apache#8026) per thread jemalloc arena for MADV_DONTDUMP (apache#7501) Adds a new rm-destination, this lets you specify either QUERY or PATH, and be able to drop them from the incoming request (apache#8025) Fix HPACK eviction iterator manipulation (apache#8004) Do not invalidate cached resources upon error responses to unsafe methods (apache#7999) Cleanup SSLUtils (apache#8007) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Noticed this while trying to reproduce the situation described in issue #4808. Updating a cert file in place that is referenced in the ssl_multi_cert.config file was doing nothing. The Secret file was not being cleared during the reload before the server cert reloading would occur. I believe this problem was introduced by PR #6609. I am surprised we haven't been hit by this. We must either be running our cert update plugin or restarting the process on each server cert update.
I added a test to exercise config reload with an updated server certificate file. We already had such test for the client cert update.
While exercising this I noticed that you no longer need to touch the ssl_multi_cert.config file when only the referenced cert and key files are updated as described in issue #3931. I think that has been fixed for a while. The commit from @zizhong mentioned in the issue seems to be the logic that fixed it.