Page MenuHomeVyOS Platform
Create Task
Maniphest T3861

PKI: changing certificates, keys, crls does not "regenerate" the on-disk certificates
Confirmed, NormalPublicBUG
Actions

Description

When changing e.g. the CRL managed by the new PKI subsystem, the certificates and services using these certificates get not "reloaded" notified about the change.

When a cert is changed, the consuming service should be notified and reloaded to read in the new certificates.

Details

Difficulty level
Normal (likely a few hours)
Version
1.4-rolling
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

c-po changed the task status from Open to Confirmed.Sep 26 2021, 8:03 AM
c-po triaged this task as Normal priority.
c-po created this task.
lucasec added a subscriber: lucasec.Sep 27 2021, 4:45 AM

Adding a few notes here:

  • The ideal behavior probably depends on which PKI elements are changed and what services depend on them.
  • E.g. OpenVPN does not require a server restart for a CRL change (see https://openvpn.net/community-resources/controlling-a-running-openvpn-process/), but changing the CA or server cert/key would require a restart.
  • It seems like there are some swanctrl commands that can conditionally reload parts of the config too without taking all tunnels down
  • The former might be useful if you need to renew server certs or something like that and want to do so with the minimal impact

Those are probably all nice-to-haves, not table stakes. MVP would probably be to restart the daemon in all cases.

Viacheslav mentioned this in T6241: Updating CRL in "pki" config does not update OpenVPN.Mon, Apr 15, 7:33 AM