'Is there a way to update the TLS certificates in a net/http server without any downtime?

I have a simple https server serving a simple page like so (no error handling for brevity):

package main

import (
    "crypto/tls"
    "fmt"
    "net/http"
)

func main() {
    mux := http.NewServeMux()

    mux.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
        fmt.Fprintf(w, "hello!")
    })

    xcert, _ := tls.LoadX509KeyPair("cert1.crt", "key1.pem")

    tlsConf := &tls.Config{
        Certificates: []tls.Certificate{xcert},
    }

    srv := &http.Server{
        Addr:      ":https",
        Handler:   mux,
        TLSConfig: tlsConf,
    }

    srv.ListenAndServeTLS("", "")
}

I want to use a Let's Encrypt TLS certificate to serve the content over https. I would like to be able to do certificate renewals and update the certificate in the server without any downtime.

I tried running a goroutine to update the tlsConf:

go func(c *tls.Config) {
        xcert, _ := tls.LoadX509KeyPair("cert2.crt", "key2.pem")

        select {
        case <-time.After(3 * time.Minute):
            c.Certificates = []tls.Certificate{xcert}
            c.BuildNameToCertificate()
            fmt.Println("cert switched!")
        }

    }(tlsConf)

However, that doesn't work because the server does not "read in" the changed config. Is there anyway to ask the server to reload the TLSConfig?

gohttpswebserver


Solution 1:[1]

There is: you can use tls.Config’s GetCertificate member instead of populating Certificates. First, define a data structure that encapsulates the certificate and reload functionality (on receiving the SIGHUP signal in this example):

type keypairReloader struct {
        certMu   sync.RWMutex
        cert     *tls.Certificate
        certPath string
        keyPath  string
}

func NewKeypairReloader(certPath, keyPath string) (*keypairReloader, error) { 
        result := &keypairReloader{
                certPath: certPath,
                keyPath:  keyPath,
        }
        cert, err := tls.LoadX509KeyPair(certPath, keyPath)
        if err != nil {
                return nil, err
        }
        result.cert = &cert
        go func() {
                c := make(chan os.Signal, 1)
                signal.Notify(c, syscall.SIGHUP)
                for range c {
                        log.Printf("Received SIGHUP, reloading TLS certificate and key from %q and %q", *tlsCertPath, *tlsKeyPath)
                        if err := result.maybeReload(); err != nil {
                                log.Printf("Keeping old TLS certificate because the new one could not be loaded: %v", err)
                        }
                }
        }()
        return result, nil
}

func (kpr *keypairReloader) maybeReload() error { 
        newCert, err := tls.LoadX509KeyPair(kpr.certPath, kpr.keyPath)
        if err != nil {
                return err
        }
        kpr.certMu.Lock()
        defer kpr.certMu.Unlock()
        kpr.cert = &newCert
        return nil
}

func (kpr *keypairReloader) GetCertificateFunc() func(*tls.ClientHelloInfo) (*tls.Certificate, error) { 
        return func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
                kpr.certMu.RLock()
                defer kpr.certMu.RUnlock()
                return kpr.cert, nil
        }
}

Then, in your server code, use:

kpr, err := NewKeypairReloader(*tlsCertPath, *tlsKeyPath)
if err != nil {
    log.Fatal(err)
}
srv.TLSConfig.GetCertificate = kpr.GetCertificateFunc()

I recently implemented this pattern in RobustIRC.

Solution 2:[2]

I also found this nice implementation in the Kubernetes controller-runtime: https://github.com/kubernetes-sigs/controller-runtime/blob/master/pkg/certwatcher/certwatcher.go

I would like to add my own answer based on a simple file polling implementation. I used this for reloading certificates delivered through Kubernetes Secrets.

import (
    "crypto/tls"
    "fmt"
    "os"
    "time"
)

type CertReloader struct {
    CertFile          string // path to the x509 certificate for https
    KeyFile           string // path to the x509 private key matching `CertFile`
    cachedCert        *tls.Certificate
    cachedCertModTime time.Time
}

// Implementation for tls.Config.GetCertificate useful when using
// Kubernetes Secrets which update the filesystem at runtime.
func (cr *CertReloader) GetCertificate(h *tls.ClientHelloInfo) (*tls.Certificate, error) {
    stat, err := os.Stat(cr.KeyFile)
    if err != nil {
        return nil, fmt.Errorf("failed checking key file modification time: %w", err)
    }

    if cr.cachedCert == nil || stat.ModTime().After(cr.cachedCertModTime) {
        pair, err := tls.LoadX509KeyPair(cr.CertFile, cr.KeyFile)
        if err != nil {
            return nil, fmt.Errorf("failed loading tls key pair: %w", err)
        }

        cr.cachedCert = &pair
        cr.cachedCertModTime = stat.ModTime()
    }

    return cr.cachedCert, nil
}

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Michael
Solution 2

Related Questions

Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authorization Required"

How to serve a Vue application over HTTPS for local development

Disable SSLHandshakeException for a single connection

URL containing the scheme but not the authority (hostname)?

.Net 6 Blazor app UseHttpsRedirection is causing many redirects

Using client certificates in ReactJS

How to log SSL handshake in node's https module

Nexus Docker Registry - Failling anonymous pull

GitHub authentication failing over https, returning wrong email address

Rails public folder items not available in production

Issues when using w3data.js

Nodejs tls proxy same port other protocol

Requests (Caused by SSLError("Can't connect to HTTPS URL because the SSL module is not available.") Error in PyCharm requesting website

Express Login With Redirect Using Node.js

Proxied IOS App doesn't send http/s requests? How are they fetching the data then?