package prosody severity 690412 minor thanks
Hi Josh, personally, I think, this is a "wishlist" bug, but as I am not the maintainer and to not change the bug severity too much, I'll only downgrade it to "minor", hope that's okay with you. that said, I think, having to restart (or reload, see below) a TLS/SSL-server for a new certificate to take effect is quite common. In fact, I'm not aware of any server auto-detecting this? Reasons include races: For example prosody needs the main certificate and the CA chain in the main file. If the admin does something like mv main_cert.pem /etc/ssl/... cat ca_chain.pem >>/etc/ssl/... then there is a race, where the server might read the certificate (without the chain) between those two commands. There are probably lots of other good reasons, why this should be kept explicit to the admin. What can be seen as a problem: restart is closing all connections. For an xmpp server this isn't really nice, because users are affected. I can understand that very well! So letting "service prosody reload" (which reloads the config, mostly) also reload the certificate would be much better, IMHO. It wouldn't disturb existing users but get the new certificate for new connections. This isn't the default with prosody, but can be configured: - You need reload_modules [1] installed and enabled (add it to modules_enabled). - Add this to your config: reload_modules = { "tls" } Now a "service prosody reload" will also reload certificates. That said, it might be good to document that somewhere. A place that is somewhat easy to find. TBH I don't know, which place would be appropiate. README.Debian? It's not really debian specific after all. If you still think, that auto-detecting is a worthwhile feature, I'd suggest to ask directly upstream. Cheers Elrond [1] https://modules.prosody.im/mod_reload_modules.html Probably already included in the prosody-modules package.