[Libwebsockets] Reconfigure vhost with certificates.

[Andy Green]

On 6/10/21 6:48 PM, sas spss wrote:
> Popular SSL certificate services like LetsEncrypt.org require 
> renew/update of SSL certificate every 60 - 90 days. Is there a better 
> way to reload the new certificate without affecting existing connections ?
> 
> Restarting server or calling lws_vhost_destroy() kills all existing 
> connections and can cause bad user experiences.  Is it possible to 
> create a new SSL context with the new certificate and then use this new 
> SSL context to accept and serve new connections ?  Thanks.

I haven't tried it in a while, but there is an lws feature "context 
deprecation".

https://libwebsockets.org/git/libwebsockets/tree/include/libwebsockets/lws-context-vhost.h?h=main#n945-968

It's implemented in lwsws, that forks on init to leave a "dumb" root 
parent process with no IO, and forks an unprivileged child process to do 
the actual serving.

If you send a SIGHUP at the root, monitoring parent process

https://libwebsockets.org/git/libwebsockets/tree/lwsws/main.c?h=main#n215

It passes a SIGHUP to its children, causing their lws_context to be 
marked as "deprecated"... it means, they close their listening sockets 
and continue to run with existing clients until they all close, at which 
time the deprecated context will finish and destroy itself and the child 
process exits.

Shortly after the SIGHUP to the children, the root process forks and 
starts a new server process from scratch with a new lws_context and it 
can take over the listen sockets then.

https://libwebsockets.org/git/libwebsockets/tree/lwsws/main.c?h=main#n105

That is all the stub root parent process knows to do, it does not accept 
any command except SIGHUP.

So there is a situation that existing clients can continue on for the 
short or medium term (until something kills their connection, eg, cert 
expiry), while new clients connect to listen sockets owned by the newer 
process.

-Andy