Skip to content

[BUG] Redis Does Not Automatically Reload Certificates When Certificate File Updates #8756

Description

@rjduffner

Describe the bug

We have short lived certificates (30 days). We also have a background process that runs and updates the cert and key files within that time period so they remain valid. It looks like redis does not notice the file has changed and does not use the new certificate.

To reproduce

Start redis-server in TLS mode with a cert/key
Using something like, openssl s_client -connect <redishost>:<redisport> 2>/dev/null | openssl x509 -noout -dates, note the expiry dates.
Now without restarting redis-server, update the file to a cert with newer expiry dates.
Using openssl again will still show the old expiry dates.

Expected behavior

Either redis has a file watcher on the cert/key/ca files such that if they change it will reload or add a command that will force a reload of the cert/key/ca files when requested.

Additional information

If the redis-server is restarted, the new cert/key/ca files will be read.

Sample Traceback

'cache.redis', {'exception_module': 'redis.exceptions', 'exception_class': 'ConnectionError', 'exception_msg': 'Error 1 connecting to <host>:<port>. [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1076).'}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions