You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If getssl detects that a remote certificate expires sooner than a saved local certificate, an upload is attempted. Then a server reload is performed.
Later in the same run, if getssl discovers that the remote certificate has a different domain list, a new CSR is created, the certificate is signed, and the server is reloaded again.
Besides being inefficient, this means that the initial local, stale certificate is used in the interval before the correct certificate is issued and installed.
This just happened to me in real life.
A glance at the code indicates a similar scenario if the key type(s) change: the saved/stale local certificate is uploaded, then the new one is generated and uploaded.
getssl should check the expiration date after verifying that the domain lists match.
It should only upload the local certificate if it determines that it will not generate a new one. (for any reason)
Bottom line: Only local certificates matching the current specification should be uploaded. The RELOAD_CMD should be invoked at most once per certificate. (Of course, RELOAD_CMD itself may reload more than one server if so-configured.)
The text was updated successfully, but these errors were encountered:
If
getssldetects that a remote certificate expires sooner than a saved local certificate, an upload is attempted. Then a server reload is performed.Later in the same run, if
getssldiscovers that the remote certificate has a different domain list, a new CSR is created, the certificate is signed, and the server is reloaded again.Besides being inefficient, this means that the initial local, stale certificate is used in the interval before the correct certificate is issued and installed.
This just happened to me in real life.
A glance at the code indicates a similar scenario if the key type(s) change: the saved/stale local certificate is uploaded, then the new one is generated and uploaded.
getsslshould check the expiration date after verifying that the domain lists match.Bottom line: Only local certificates matching the current specification should be uploaded. The
RELOAD_CMDshould be invoked at most once per certificate. (Of course,RELOAD_CMDitself may reload more than one server if so-configured.)The text was updated successfully, but these errors were encountered: