[Libwebsockets] Reconfigure vhost with certificates.
andy at warmcat.com
Thu Jun 10 20:47:35 CEST 2021
On 6/10/21 6:48 PM, sas spss wrote:
> Popular SSL certificate services like LetsEncrypt.org require
> renew/update of SSL certificate every 60 - 90 days. Is there a better
> way to reload the new certificate without affecting existing connections ?
> Restarting server or calling lws_vhost_destroy() kills all existing
> connections and can cause bad user experiences. Is it possible to
> create a new SSL context with the new certificate and then use this new
> SSL context to accept and serve new connections ? Thanks.
I haven't tried it in a while, but there is an lws feature "context
It's implemented in lwsws, that forks on init to leave a "dumb" root
parent process with no IO, and forks an unprivileged child process to do
the actual serving.
If you send a SIGHUP at the root, monitoring parent process
It passes a SIGHUP to its children, causing their lws_context to be
marked as "deprecated"... it means, they close their listening sockets
and continue to run with existing clients until they all close, at which
time the deprecated context will finish and destroy itself and the child
Shortly after the SIGHUP to the children, the root process forks and
starts a new server process from scratch with a new lws_context and it
can take over the listen sockets then.
That is all the stub root parent process knows to do, it does not accept
any command except SIGHUP.
So there is a situation that existing clients can continue on for the
short or medium term (until something kills their connection, eg, cert
expiry), while new clients connect to listen sockets owned by the newer
More information about the Libwebsockets