search

processone / ejabberd

Robust, Ubiquitous and Massively Scalable Messaging Platform (XMPP, MQTT, SIP Server)
https://www.process-one.net/en/ejabberd/
Other
6.06k stars 1.51k forks source link

Certificate is not loaded after config reload #4007

Open marek-mbiel opened 1 year ago

marek-mbiel commented 1 year ago

Before creating a ticket, please consider if this should fit the discussion forum better.

Environment

Bug description

Reload of certificate from valid to invalid seems not working.

  1. I have configured certfile: "/opt/ejabberd/conf/lx-rec-fss-01-ejabberd.pem" where pem file was issued for different host -> Ejabberd was started with this config and behavior is OK. Service is running and when reaching Admin UI then secure connection is not established "NET::ERR_CERT_COMMON_NAME_INVALID"
  2. Changed certificate "/opt/ejabberd/conf/lx-rec-fss-01-ejabberd.pem" to the correct one (rename invalid cert to different name and rename proper cert tolx-rec-fss-01-ejabberd.pem ) ->Config was reloaded and new valid cert is accepted. When reaching Admin UI then secure connection is established.
  3. Changed certificate again to invalid one and reload config. -> No impact, ejabberd is still using cert from step 2 ejabberd.zip

I expect that once cert is updated although to wrong one, this one is used and not previous cached one.

Thank you. BR, Marek

badlop commented 1 year ago

In step 3, did you close and reopen the webrowser? Do XMPP clients in step 3 receive the certificate from step 2?

marek-mbiel commented 1 year ago

@badlop Yes, I reopened browser (I also tried it in incognito window, but same result). Yes, clients received valid cert from step 2 (although already configured invalid cert from step 1).

badlop commented 1 year ago

I see. I get ejabberd using a valid certificate, then copy an expired certificate, and running ejabberdctl reload_config shows in the log:

2023-03-22 17:00:05.167789+01:00 [warning]
 Invalid certificate in
 /home/badlop/git/ejabberd/_build/relive/conf/cert.pem:
 at line 1: certificate is no longer valid as its expiration date has passed
2023-03-22 17:00:05.168572+01:00 [warning]
 Certificate in /home/badlop/git/ejabberd/_build/relive/conf/cert.pem (at line: 1)
 for localhost is expired

That new certificate isn't loaded, the old one is still being used.

This seems a feature that doesn't let distracted admins load expired certificates. However, you consider it a problem, because you are confident you want to load the new certificate...