wrt How to hot-update TLS certificates? the TLS hot-update works well for server TLS certificates, and it is a great feature to meet our scenario.
But I found
set ssl cert does not work with client cert like below configuration shows:
global log stdout local0 stats socket /tmp/admin-1.sock level admin process 1 mode 0660 expose-fd listeners tune.ssl.default-dh-param 2048 defaults log global maxconn 3000 mode http timeout connect 10s timeout client 30s timeout server 30s option httplog option http-use-htx option redispatch option logasap frontend myproxy bind :58080 default_backend mybackend backend mybackend server localserver 127.0.0.1:12345 ssl verify required ca-file /tmp/pem/ca.crt crt /tmp/pem/tls.pem force-tlsv13
With command of
# echo -e "set ssl cert /tmp/pem/tls.pem <<\n$(cat /tmp/pem/tls.pem)\n" \ | socat /tmp/admin-1.sock - Can't replace a certificate which is not referenced by the configuration! Can't update /tmp/pem/tls.pem
The questions are:
- whether hot-update to client certificate is supported or I missed some configuration?
- is there a way to hot-update the
ca-filefor both server (in
binddirective) and client (in
Thank you very much!