athoune
commented
3 years ago GetCertificate method, for just in time certificate read will only be used for new connections. Websocket will keep the connection opened for a long time.
Why do you care about certificate reload? paid certifcate are valid for years. If you choose to use LE, using a proxy like Traefik or Caddy (and sharing web with other applications) will be more simple. Integrating lego lib in galene is more robust than cron+certbot+kill -HUP.
tohojo
jech
This was initially reported by @tohojo.
Galène will automatically pick up any changes to its configuration files. It will not pick up a change to the TLS keys — the only way to rotate keys is to restart the server.
I can see two ways of doing graceful key rotation. The simple one is to stop the TLS listener and then start a new one; this will involve a couple of seconds of downtime, but will not interrupt currently connected users. The other one would be mutate the TLS configuration of the current listener (see
(*tls.Certificate).GetCertificate), as is done by the letsencrypt library.