Update SSL certificate on the fly

[naanlizard]

Is your feature request related to a problem? Please describe.
Downtime when updating an SSL certificate is bad for users.

Describe the solution you'd like
Some mechanism to update the SSL certificate while the server is live, without interrupting streams, would be ideal. Something like nginx -s reload basically

Describe alternatives you've considered
The only real alternative is scheduled maintenance once every 6 months for hard downtime, which we prefer to avoid.

[basisbit]

You'll have to restart your server for security updates more often than once every few months anyways, thus I suggest you to set up more than one edge server and use your loadbalancer to send the users to the desired server/servers.

[dimiden]

@naanlizard I agree that restarting daemon for TLS certificate replacement is not a good idea.
OME uses SIGHUP signal for config update (now only supports reloading logger.xml), and I will consider improving TLS certificate to reload when this signal occurs.

[naanlizard]

Is there any action on this? Any way I can help?

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[naanlizard]

@getroot where in the priorities list is this? It's the last feature we're waiting on for feature parity with our current setup, and hopefully not terribly difficult. Even better if it automatically updates the cert if the file changes on the disk :)

Thanks for all the great work last year and here's hoping 2023 is very successful for Airensoft!

[getroot]

This feature is very low priority as it is needed about once a year and often restarts OME to update OvenMediaEngine. I will soon organize and share my priority tasks for 2023.
I wish you a happy year!

[naanlizard]

I guess we'll have to update our maintenance schedules for some planned downtime at least every few months, not the worst I suppose but not great

[getroot]

I haven't finalized the roadmap yet, but I expect this feature to be released in the second quarter of this year.

[naanlizard]

I'm hoping this one is next :) we're about to switch to only ome and it's the last thing missing

[getroot]

Have you tried this feature? I made it faster by raising the priority since you said you hope this feature will be next. :-)

[naanlizard]

We are in the middle of implementing it, we'll report back when we've used it. So far it seems good I think!

[getroot]

I just added an API to reload certificate files to master branch. This requires testing in a variety of environments. Please check if it works well.

This is provided by two APIs:

POST http[s]:/host[:port]/v1/vhosts:reloadAllCertificates
POST http[s]:/host[:port]/v1/vhosts/{vhost name}:reloadCertificate

If reloading fails, the previously loaded certificate will continue to be used, so the risk of calling the API is low. If reloading fails, a 500 error or 404 error will occur. In case of a 500 error, you can see more details through the server log (OvenMediaEngine.log).

[naanlizard]

FWIW, this has been working well. I realize I never replied here

[naanlizard]

Still works well!

Is it possible to add auto-reloading when the cert file changes? I'm not sure how easy or hard that is. We have a script that does it after the cert is regenerated, but it is a bit of a hack due to our infrastructure setup

[getroot]

There are ways to monitor files for changes, but I think it would be better to use external software rather than something built into OME.