Oh. So that's what they meant by "variables support" in the ssl directives. I didn't realize the significance of that change when I read the changelog earlier today.
The original title for this item was "Nginx 1.15.9 adds support for dynamic certificate loading" which explains why this is interesting, but then someone edited it to the current less useful version ¯\_(ツ)_/¯
Mostly likely the certificates will stay in filesystem's cache because of the number of reads, and memcpy of some pages isn't a huge deal unless you're having 100K+ active and short-lived sessions per nginx instance.
Fair enough, but the server parses only the private key which is already well structured in any encoding. I haven't checked myself, but I believe correctness checks are ran on the reloading of a configuration.
You have a cache, if you SIGHUP the nginx process it'll reload the config and certificates on disk. With a simple script it is possible to SIGHUP when the certificate file is changed on disk.
I suppose you could do it if you placed them in a directory, and renamed that. But I don't think that's what Certbot does, I think it works by changing file symlinks individually.
Was thinking same, now that certs are free I tend to just use single domain certs but maybe that is not ideal? Suppose you could modify this[1] to mv / symlink dir as final step for multi domain certs.
https://github.com/h0l0gram/letsencrypt-utils/blob/master/le...
open takes a file path and gives you back a fd that doesn't know anything about fs paths (it tracks the underlying inode).
Thus, nginx may open(key) before the directory is renamed, and open(cert) afterwards. The first fd is now pointing to the old key, while the second fd points to the new cert.
The actual problem is you can't atomically replace a directory with another one. You have to do tricks where you have a symlink to the real directory and atomically replace the symlink with a new symlink to the new directory.
Another comment pointed out though that most of the time you only need to update the cert, and not the key. So it's mostly a moot issue..
You don't need to atomically replace 2 files. Renewing the certificate does not entail changing the private key, so unless you toss away the private key yourself you won't get a mismatched key and certificate situation.
It only needs to update the certificate, a single operation, which can be done atomically. Certificates are also renewed ahead of time so a previous connection still having the old cert is not an issue.
I read through the codebase and can't assert that couldn't happen... wasn't sure if the ngx_http_ssl_certificate callback could be executed after a point where any of the client-controlled variables from [1] are defined.
Who needs Russian spyware engine X when we now have American Build High Performance Caddy where you can actually get prosecuted if you try to spy on your users without declaring it upfront!
We shouldn't use why software coming out of Russia
Probably that's the version that introduced the poll API. They developed it on Win10, then noticed oh it should work on Vista. Tested it [maybe] and put it in the changelog. (And probably they have nginxplus customers that need Vista support?)
40 comments
[ 3.3 ms ] story [ 84.6 ms ] threadNoticed via https://hackernewstitles.netlify.com/
Of course that's a thing.
What if your ACME client is updating the certificate and private key when an nginx connection comes in?
You can't atomically update both files, right? So nginx will potentially see a mismatched key and certificate?
:\
I hope it's guarded by SIGHUP, like sibling comment suggests.
Edit: it does. Just use that instead of messing with separate files
open takes a file path and gives you back a fd that doesn't know anything about fs paths (it tracks the underlying inode).
Thus, nginx may open(key) before the directory is renamed, and open(cert) afterwards. The first fd is now pointing to the old key, while the second fd points to the new cert.
Another comment pointed out though that most of the time you only need to update the cert, and not the key. So it's mostly a moot issue..
It only needs to update the certificate, a single operation, which can be done atomically. Certificates are also renewed ahead of time so a previous connection still having the old cert is not an issue.
[1] - https://nginx.org/en/docs/http/ngx_http_ssl_module.html#vari...
We shouldn't use why software coming out of Russia
http://nginx.org/en/docs/windows.html