package prosody
severity 690412 minor
thanks
Hi Josh,
personally, I think, this is a "wishlist" bug, but as I am
not the maintainer and to not change the bug severity too
much, I'll only downgrade it to "minor", hope that's okay
with you.
that said, I think, having to restart (or reload, see
below) a TLS/SSL-server for a new certificate to take
effect is quite common. In fact, I'm not aware of any
server auto-detecting this?
Reasons include races: For example prosody needs the main
certificate and the CA chain in the main file. If the
admin does something like
mv main_cert.pem /etc/ssl/...
cat ca_chain.pem >>/etc/ssl/...
then there is a race, where the server might read the
certificate (without the chain) between those two commands.
There are probably lots of other good reasons, why this
should be kept explicit to the admin.
What can be seen as a problem: restart is closing all
connections. For an xmpp server this isn't really nice,
because users are affected. I can understand that very
well!
So letting "service prosody reload" (which reloads the
config, mostly) also reload the certificate would be much
better, IMHO. It wouldn't disturb existing users but get
the new certificate for new connections.
This isn't the default with prosody, but can be configured:
- You need reload_modules [1] installed and enabled (add it
to modules_enabled).
- Add this to your config:
reload_modules = { "tls" }
Now a "service prosody reload" will also reload
certificates.
That said, it might be good to document that somewhere. A
place that is somewhat easy to find. TBH I don't know,
which place would be appropiate. README.Debian? It's not
really debian specific after all.
If you still think, that auto-detecting is a worthwhile
feature, I'd suggest to ask directly upstream.
Cheers
Elrond
[1] https://modules.prosody.im/mod_reload_modules.html
Probably already included in the prosody-modules
package.
