CODEWITHSUNDEEP
node.jsssl-certificate
user3742227
user3742227

Reputation: 435

Is it posible to update ssl cert without server restarting?

I'd like to update ssl certificates on node.js http2 server without restarting (to avoid any downtime). Also I don't want to use any 3rd party modules for this work. Only pure nodejs. Is it possible?

Right now when certificate about to expire, i just restarting the script. 

const https = require('http2');
const server = https.createSecureServer({
  ca: fs.readFileSync('chain.pem'),
  cert: fs.readFileSync('cert.pem', 'utf8'),//fullchain
  key: fs.readFileSync('privkey.pem', 'utf8'),
  allowHTTP1: true,
},

I expect to be able to watch if cert files were updated (using fs.watch() for example), and to update certificates in http2 server on the fly...

Upvotes: 8

Views: 6517

Answers (2)

user3742227
user3742227

Reputation: 435

As mentioned by Jake, setSecureContext() do the magic. Seems it can update certificate without breaking current connections. Something like:

setTimeout(function () {server.setSecureContext({
  ca: fs.readFileSync('chain.pem'),
  cert: fs.readFileSync('cert.pem', 'utf8'),//fullchain
  key: fs.readFileSync('privkey.pem', 'utf8')
})},86400000)

Upvotes: 8

Kenzoid
Kenzoid

Reputation: 294

Yes, you can just use sniCallBack():

const https = require('http2');
const server = https.createSecureServer({
  ca: fs.readFileSync('chain.pem'),
  cert: fs.readFileSync('cert.pem', 'utf8'),//fullchain
  key: fs.readFileSync('privkey.pem', 'utf8'),
  allowHTTP1: true,
  SNICallback: (servername, cb) => {
    // here you can even change up the `SecureContext`
    // based on `servername` if you want
    cb(null, server);
  }
},

This may be a bit outdated so try it out and ask me if anything doesn't work because the solution source code that I found here is a bit different.

Upvotes: 4

Related Questions