-
Notifications
You must be signed in to change notification settings - Fork 9.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
etcd doesn't reload certs from disk when using ip address #9541
Comments
We should be able to release the patch in 3.2 and 3.3 next week. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When certificates change on disk, etcd should pick up new certificates on the next client/peer request. This does not always happen.
Based on the code here, if we set
Certificates
andclientHello.ServerName
is empty (which is true when addressed via ip address), it will fall back to the first element ofCertificates
instead of callingGetCertificate
.https://github.com/golang/go/blob/master/src/crypto/tls/common.go#L716
According to this comment, the
Certificates
field needs to be set for integration tests to pass. I don't know why, but this is the cause of the issue. We should always be callingGetCertificates
if certs should always be reloaded, never falling back to the certificate that was loaded at startup.#7784 (comment)
The text was updated successfully, but these errors were encountered: