How to hot update the certificate and private key of the HTTPS server without restarting the server?The old ssl/tls certificate should be deleted.

[masx200]

Is your feature request related to a problem? Please describe.
Please describe the problem you are trying to solve.

How to hot update the certificate and private key of the HTTPS server without restarting the server?

For example, whenever the ssl/tls certificate expires soon, how to replace the hostname certificate specified by the HTTPS server with the correct new one?

Describe the solution you'd like
Please describe the desired behavior.

Describe alternatives you've considered
Please describe alternative solutions or features you have considered.

[bnoordhuis]

Look up server.addContext() in the tls docs, that's probably what you want to use.

[masx200]

https://github.com/nodejs/node/blob/2e6c3e2301cb443a72c3659fffa24815b4660815/lib/_tls_wrap.js#L1439

https://github.com/nodejs/node/blob/2e6c3e2301cb443a72c3659fffa24815b4660815/lib/_tls_wrap.js#L1420

After reading the source code, I found that when adding multiple ssl/tls certificates to the same domain name, the ones added later will not take effect, only the first one that meets the conditions will take effect. If the ssl/tls certificate expires, you need to replace the old one with a new one,The old ssl/tls certificate should be deleted. Using "addcontext" will not solve the problem because the old one will still be used.

[masx200]

@bnoordhuis

[bnoordhuis]

If "update" means "replace", the answer is "you can't for technical reasons" - there's no good way to tell when it's safe to stop using the old key+cert because of existing clients and sessions. See nodejs/node#15115 (comment) for an SNI-based solution and nodejs/node#15115 (comment) for why that won't always work.

There are a bunch of workarounds but they all boil down to doing rolling restarts.

[TDurrr1]

This is the code I'm currently using. When the HTTPS key and/or certificate are overwritten while the server is running, this code will update them for the server without needing a reboot and without interrupting current connections:

let timeout;
fs.watch(certFolder, (event, filename) => {
   clearTimeout(timeout);
   timeout = setTimeout(() => {
      httpsServer.setSecureContext({
         key  : fs.readFileSync(keyPath).toString(),
         cert : fs.readFileSync(certPath).toString()
      });
      console.log('Secure context updated.');
   }, 5000);
});

certFolder is the directory where the key and certificate file are stored; keyPath and certPath are the paths to your key and certificate, respectively; and httpsServer is the server Node gives you when you call http.createSecureServer(options, handler).

The reason the call to setSecureContext is surrounded by timeout stuff is to debounce it, or keep it from being called too frequently. This prevents an issue where the key is overwritten and before your certificate finishes copying the secure context gets updated with the non-matching key-cert pair.

[masx200]

But for the case of using snicallback to select the certificate, this will not work properly. Because for the same domain name, snicallback will only be called once

[masx200]

@TDurrr1

[masx200]

nodejs/node#34444

[github-actions]

There has been no activity on this issue for 3 years and it may no longer be relevant. It will be closed 1 month after the last non-automated comment.

[github-actions]

There has been no activity on this issue and it is being closed. If you feel closing this issue is not the right thing to do, please leave a comment.