TLS cert hot-update for client cert?

@xugy wrote:

Hello,

wrt How to hot-update TLS certificates? the TLS hot-update works well for server TLS certificates, and it is a great feature to meet our scenario.

But I found set ssl cert does not work with client cert like below configuration shows:

global
    log stdout local0
    stats socket /tmp/admin-1.sock level admin process 1 mode 0660 expose-fd listeners
    tune.ssl.default-dh-param 2048

defaults
    log global
    maxconn 3000
    mode http
    timeout connect 10s
    timeout client 30s
    timeout server 30s
    option httplog
    option http-use-htx
    option redispatch
    option logasap

frontend myproxy
    bind :58080
    default_backend mybackend

backend mybackend
    server localserver 127.0.0.1:12345 ssl verify required ca-file /tmp/pem/ca.crt crt /tmp/pem/tls.pem force-tlsv13

With command of

# echo -e "set ssl cert /tmp/pem/tls.pem <<\n$(cat /tmp/pem/tls.pem)\n" \
       | socat /tmp/admin-1.sock -
Can't replace a certificate which is not referenced by the configuration!
Can't update /tmp/pem/tls.pem

The questions are:

1. whether hot-update to client certificate is supported or I missed some configuration?
2. is there a way to hot-update the ca-file for both server (in bind directive) and client (in server directive).

Thank you very much!

Posts: 2

Participants: 2

Read full topic