I implemented package that will reload SSL once it is updated on disk. It is good for LetsEncrypt certs that might be automatically updated monthly.
Sample code:
// log.Println(http.ListenAndServeTLS(":7544",
// "/home/user/cert/game01.example.com/fullchain.pem",
// "/home/user/cert/game01.example.com/privkey.pem", nil))
for {
log.Println(pyrahttp.ListenAndServeLetsEncrypt(":7544",
"/home/user/cert/game01.example.com/fullchain.pem",
"/home/user/cert/game01.example.com/privkey.pem", nil))
time.Sleep(time.Second * 5)
}
My code is based on code from hydrogen18 http://www.hydrogen18.com/blog/stop-listening-http-server-go.html and net/http package.
go get -u github.com/CossackPyra/pyrahttp
**评论:**
mwholt:
threemux:An easier and safer way to do this would simply be to use the GetCertificate callback to cache the certificate and load the new one once its mod time/expiration time changes.
mwholt:Would you consider doing a short blog post or gist on this? I know I'd be interested in seeing the approach.
threemux:Sure, I'm almost done implementing it into Caddy, so when that is done I can get around to it.
bkeroack:Awesome - thanks!
mwholt:It's not clear whether that's called for every request (which would be horrible in terms of performance), or only once when first calling ListenAndServe(). The latter case is not useful because you still have to restart the server when the certificate changes.
bkeroack:It's not clear whether that's called for every request ... or only once when first calling ListenAndServe()
Neither; it's per-handshake.
(which would be horrible in terms of performance)
Why? If you don't write a GetCertificate function, Go uses its own which even includes looping over mutations of the hostname. It's not "horrible" - just write reasonable code.
bkeroack:You're right. I should have written "could be horrible if you aren't careful".
pyratzu:http://www.hydrogen18.com/blog/stop-listening-http-server-go.html
That is a great blog post. Exactly what I was looking for when trying to figure out how to change certificates dynamically without restarting the application.
"for loop" is not required. pyrahttp.ListenAndServeLetsEncrypt will return error if invalid certificate is provide. if you provide valid certificate then it will reload without looping throw "for loop"
