View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0005072||unreal||ircd||public||2018-02-24 17:30||2018-03-25 13:24|
|Summary||0005072: Cannot reload certificates using rehash -ssl or reloadtls|
|Description||While that feature seemed to work before, Unreal now seems incapable of reloading just the TLS certificates, whether it's told to by an operator using rehash -ssl, or from a the command line with the reloadtls parameter.|
A full rehash was needed in order to renew the certificate.
|Tags||No tags attached.|
|3rd party modules|
Do you have any certificate relate options in your configuration file(s)?
Such as set::ssl::certificate, listen::ssl-options::certificate or any other xx:ssl-options::certificate?
If so, could you copy-paste those settings?
Were you locally connected as IRC Operator, so were you able to see any warnings/errors, did it just report success?
The only ssl settings are listen::options "ssl", and listen::ssl-options "certificate" and "key". The latter two match the path to the certificate and key files, respectively.
There are no errors in the log or in the SNotices, just the expected information:
*** [SSL rehash] Reloading all SSL related data (./unrealircd reloadtls)
But when connecting, the certificate is still the old one. A rehash as a local/remote oper is the only way to load the new certificate.
I've left the server in this "halfway" state, ie. the new certificate is present in the right path, but not loaded, in case there is anything more you would like me to do in terms of diagnostics.
When you say "A rehash as a local/remote oper is the only way to load the new certificate." do you mean a regular '/REHASH' (not '/REHASH -ssl') does resolve the situation?
||Yes, a regular rehash is necessary. '/REHASH -ssl' does not resolve the problem.|
||Ok, thanks. Yes that gives me enough to duplicate the problem and look into a fix. Will do so later. Thanks for your help :)|
Author: Bram Matthys <email@example.com>
Date: Sun Mar 25 13:22:19 2018 +0200
Fix './unrealircd reloadtls' not reloading certificates/keys if
listen::ssl-options, sni::ssl-options or link::outgoing::ssl-options
are used. In short: it only reloaded the ones from set::ssl until
now. Bug reported by Mr_Smoke (0005072)
I'll clarify in the release notes this also applied to '/rehash -ssl' of course.
Thanks for the report!
|2018-02-24 17:30||Le_Coyote||New Issue|
|2018-03-07 10:46||syzop||Note Added: 0020041|
|2018-03-07 10:46||syzop||Assigned To||=> syzop|
|2018-03-07 10:46||syzop||Status||new => feedback|
|2018-03-07 10:46||syzop||Note Edited: 0020041||View Revisions|
|2018-03-07 10:47||syzop||Severity||minor => major|
|2018-03-07 17:12||Le_Coyote||Note Added: 0020043|
|2018-03-07 17:47||syzop||Note Added: 0020044|
|2018-03-07 17:48||Le_Coyote||Note Added: 0020045|
|2018-03-08 09:30||syzop||Note Added: 0020046|
|2018-03-08 09:30||syzop||Status||feedback => acknowledged|
|2018-03-25 13:24||syzop||Status||acknowledged => resolved|
|2018-03-25 13:24||syzop||Resolution||open => fixed|
|2018-03-25 13:24||syzop||Note Added: 0020068|
|2018-03-25 13:24||syzop||Target Version||=> 4.0.18|