[gnutls-help] TLS-Server with Let’s Encrypt

Mario Lombardo ml at tocario.com
Thu Aug 2 17:47:30 CEST 2018

Hi gnutls team,

I’m looking for a way how to use gnutls for a TLS server in combination with Let’s Encrypt. As the validity of those certificates is just a couple of weeks, I would like to replace the current server key by new ones without restarting the server.

The implementation is basically like this:
// create credstore
// load x509 key pair
gtls_returncode = gnutls_certificate_set_x509_key_file(ctx->tls_x509_cred, ctx->config->cert_bundle, ctx->config->key_file, GNUTLS_X509_FMT_PEM);
// install signal handler
signal(SIGUSR1, signal_handler);

Once the signal SIGUSR1 arrives, I would like to re-read x509 stuff.

The only solution I found (yet) is to free the credstore and allocate a new one (then read new keys). This has some downsides, as the server is not working anymore if there is something wrong with the key pair, because I already freed the existing credstore (here ctx->tls_x509_cred). And even this is the only way to proceed…do I need to block any incoming connections in the meantime? How long (in the process of the handshake) is blocking required (in other words: do I need to track if there are existing sockets in the handshake phase or is this safe as long as one handshake try for non-blocking sockets was done)?

Is there any reference code/function to replace a key pair? I had a look into the apache2 module but as it seems, this module does not support a certificate change on reload.

Any hints are welcome.

Thank you.


More information about the Gnutls-help mailing list