Describe the bug
We have short lived certificates (30 days). We also have a background process that runs and updates the cert and key files within that time period so they remain valid. It looks like redis does not notice the file has changed and does not use the new certificate.
To reproduce
Start redis-server in TLS mode with a cert/key
Using something like, openssl s_client -connect <redishost>:<redisport> 2>/dev/null | openssl x509 -noout -dates, note the expiry dates.
Now without restarting redis-server, update the file to a cert with newer expiry dates.
Using openssl again will still show the old expiry dates.
Expected behavior
Either redis has a file watcher on the cert/key/ca files such that if they change it will reload or add a command that will force a reload of the cert/key/ca files when requested.
Additional information
If the redis-server is restarted, the new cert/key/ca files will be read.
Sample Traceback
'cache.redis', {'exception_module': 'redis.exceptions', 'exception_class': 'ConnectionError', 'exception_msg': 'Error 1 connecting to <host>:<port>. [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1076).'}
Describe the bug
We have short lived certificates (30 days). We also have a background process that runs and updates the cert and key files within that time period so they remain valid. It looks like redis does not notice the file has changed and does not use the new certificate.
To reproduce
Start redis-server in TLS mode with a cert/key
Using something like,
openssl s_client -connect <redishost>:<redisport> 2>/dev/null | openssl x509 -noout -dates, note the expiry dates.Now without restarting redis-server, update the file to a cert with newer expiry dates.
Using openssl again will still show the old expiry dates.
Expected behavior
Either redis has a file watcher on the cert/key/ca files such that if they change it will reload or add a command that will force a reload of the cert/key/ca files when requested.
Additional information
If the redis-server is restarted, the new cert/key/ca files will be read.
Sample Traceback