How to automatically reload updated SSL certificates in Node.js Application

Question

I created nodejs application and I'm using Lets Encrypt SSL certificates. Following is my Code

var express = require(‘express’);
var https = require(‘https’);
var fs = require(‘fs’);
var option = {
    key: fs.readFileSync(‘/etc/letsencrypt/live/$DOMAIN/privkey.pem’),
    cert: fs.readFileSync(‘/etc/letsencrypt/live/$DOMAIN/fullchain.pem’)
};
const app = express();
app.use((req, res) =>
{
    res.end(‘Hello World’);
});

https.createServer(option, app).listen(8000);

I have used pm2 to start this application using following command

sudo pm2 start app.js --watch

I am updating SSL certificates by using following cronjob

0 8 * * * sudo certbot renew

I want to reload SSL certificates automatically whenever certbot renews SSL certificates. How can I achieve this?

Answer 1

For those of us who can't afford to or would rather not restart our servers to reload certs and that aren't comfortable with Dylan Landry's SNI-based approach, there has been a purpose-built way of doing this built into node for a while now, via server.setSecureContext (where server is a standard node https server instance). See snippet below:

const app = express();

function readCertsSync() {
    return {
        key: fs.readFileSync(sslKeyPath),
        cert: fs.readFileSync(sslCertPath) + fs.readFileSync(sslFullChainPath)
    }
}

let httpd = https.createServer(readCertsSync(), app).listen(port, onReady);

// Refresh httpd's certs when certs change on disk. The timeout stuff 
// "ensures" that all 3 relevant files are updated, and accounts for 
// sometimes trigger-happy fs.watch.
let waitForCertAndFullChainToGetUpdatedTooTimeout;
fs.watch(sslKeyPath, () => {
    clearTimeout(waitForCertAndFullChainToGetUpdatedTooTimeout);
    waitForCertAndFullChainToGetUpdatedTooTimeout = setTimeout(() => {
        httpd.setSecureContext(readCertsSync());
    }, 1000);
});

The fs.watch and timeout code is admittedly a bit clunky and can be improved using something like chokidar and some more expansive logic to monitor the state of all 3 relevant files. I chose to keep things simple to focus on the interesting bit: setSecureContext.

For reference, see https://nodejs.org/api/tls.html#tls_server_setsecurecontext_options

Also, credit goes to nolimitdev who came up with most of this before setSecureContext was even a thing.

Answer 2

You can use the flag --post-hook to restart your application after every renewal.

certbot renew --post-hook "pm2 restart app_name"

Update #1

Please note that the command we are running is in crontab and any global program has to be referenced with the full path. You can use the which command to find the executable file path for the command.

Answer 3

You can reload the new certs without restarting your server.

According to the issue Reload certificate files of https.createServer() without restarting node server #15115 , specifically this comment from mscdex:

FWIW you can already do this with SNICallback():

const https = require('https');
const tls = require('tls');
const fs = require('fs');
var ctx = tls.createSecureContext({
  key: fs.readFileSync(config.sslKeyPath),
  cert: fs.readFileSync(config.sslCrtPath)
});
https.createServer({
  SNICallback: (servername, cb) => {
    // here you can even change up the `SecureContext`
    // based on `servername` if you want
    cb(null, ctx);
  }
});

With that, all you have to do is re-assign ctx and then it will get used for any future requests.

Using the example above, you just need to do fs.readFileSync again on the cert path from within the SNICallback and attach them to the ctx object. But, you only want to do this when you know they've just changed. You can watch the files from javascript for changes. You can use fs.watch() for that or something from npm.