Rdio Scanner is an open source software that ingest and distribute audio files generated by various software-defined radio recorders. Its interface tries to reproduce the user experience of a real police scanner, while adding its own touch.
GNU General Public License v3.0
422
stars
59
forks
source link
SSL certs are only loaded on startup and may expire unintentionally #345
When using the ssl_cert_file and ssl_key_file settings, Rdio Scanner appears to load the certificates only on startup and will continue to use them until the process is restarted. If a Rdio Scanner instance is running long enough, it can lead to situations where the https server and API access breaks due to the continued use of an expired certificate, even if the user has already provided updated certificate files in advance of expiration.
I am not using the ssl_auto_cert feature, but I suspect it has a similar issue. Should a Rdio Scanner instance run longer than the standard 90-day duration of a let's encrypt cert, it is likely to encounter problems on the 91st day without warning.
A simple workaround is to ensure that Rdio Scanner is restarted periodically (at least weekly) to refresh certificates, but there is currently no documentation or community discussion recommending this course of action to ensure uninterrupted ssl services.
While the downtime is minimal, this solution is not as desirable as the web server dynamically loading new certificates as they become available, or periodically attempting a renewal request with lets encrypt to keep ssl_auto_cert users up-to-date.
This issue was encountered on two seperate instances of Rdio Scanner 6.6.3 (docker edition) over the last few weeks. It is likely that the relatively fast development cycle of 6.x hid this initially, as the frequent pace of updates naturally caused Rdio Scanner to restart and reload new certificates. 6.6.3 has been exceptionally stable over the last six months, but it has also led to the discovery that long runtimes may lead to serving expired certs.
When using the
ssl_cert_fileandssl_key_filesettings, Rdio Scanner appears to load the certificates only on startup and will continue to use them until the process is restarted. If a Rdio Scanner instance is running long enough, it can lead to situations where the https server and API access breaks due to the continued use of an expired certificate, even if the user has already provided updated certificate files in advance of expiration.I am not using the
ssl_auto_certfeature, but I suspect it has a similar issue. Should a Rdio Scanner instance run longer than the standard 90-day duration of a let's encrypt cert, it is likely to encounter problems on the 91st day without warning.A simple workaround is to ensure that Rdio Scanner is restarted periodically (at least weekly) to refresh certificates, but there is currently no documentation or community discussion recommending this course of action to ensure uninterrupted ssl services.
While the downtime is minimal, this solution is not as desirable as the web server dynamically loading new certificates as they become available, or periodically attempting a renewal request with lets encrypt to keep
ssl_auto_certusers up-to-date.This issue was encountered on two seperate instances of Rdio Scanner 6.6.3 (docker edition) over the last few weeks. It is likely that the relatively fast development cycle of 6.x hid this initially, as the frequent pace of updates naturally caused Rdio Scanner to restart and reload new certificates. 6.6.3 has been exceptionally stable over the last six months, but it has also led to the discovery that long runtimes may lead to serving expired certs.