Reload TLS certificates if they change

[aleho]

• I already searched past issues
• I already checked the wiki/TODO page

Is your feature request related to a problem? Please describe.

I'm using Let's Encrypt certificates with auto-renewal (for the webserver and Haraka). When a certificate changes, Haraka doesn't reload the file, resulting in frequently invalid certificates.

Describe the solution you'd like

Add a file watcher similar to config files to the TLS certificate files.

Describe alternatives you've considered

A systemd timer / cronjob to periodically restart Haraka with a matching frequency would probably work as certificates are renewed weeks before they expire. Currently in our infrastructure it's not possible to restart Haraka when a certificate is auto-renewed.

[msimerson]

We already hot reload the config files, this is a good feature request.

[aleho]

Thank you!

In the meantime I'm using a small CMD script (I'm running Haraka in a container), but sorry, I'm neither a Python nor a Node dev. 😁

The challenge here is that Haraka doesn't "understand" (I'm not expecting it to though) the file structure Caddy uses for certificates. So I have to find and cat them anyway.

$ ls -l certificates/local/test.localhost
test.localhost.crt
test.localhost.json
test.localhost.key

---

# find all certificates created by Caddy and cat them into to file expected by Haraka
for cert in $(find /certificates -name "*.crt"); do
    key=$(echo $cert | sed -e 's/.crt$/.key/')

    if [ -f "$cert" ] && [ -f "$key" ]; then
        target=/haraka/config/tls/$(basename $cert | sed -e 's/.crt$/.pem/')
        cat $key $cert > $target
        echo "Built certificate file $target"
    fi
done

# default certificate files (first found wins)
for cert in $(find /certificates -name "*${SITE_HOST}.crt"); do
    key=$(echo $cert | sed -e 's/.crt$/.key/')

    if [ -f "$cert" ] && [ -f "$key" ]; then
        cp $cert /haraka/config/tls_cert.pem
        cp $key  /haraka/config/tls_key.pem
        echo "Copied $cert as default for tls.ini"
    fi

    break
done

# run watcher in background to detect changes to /certificates
/opt/certificate_watcher/venv/bin/python /opt/certificate_watcher/run.py /certificates &

exec /usr/local/bin/haraka -c /haraka

#!/usr/bin/python3

import os
import signal
import sys
import time
from inotifyrecursive import INotify, flags


if not len(sys.argv) > 1:
    print("Target directory required")
    sys.exit(1)

DIR = sys.argv[1]
print(f"Watching for file changes on directory {DIR}")
inotify = INotify()
watch = inotify.add_watch_recursive(DIR, flags.CREATE | flags.DELETE | flags.MODIFY | flags.DELETE_SELF)


def stop_watching():
    inotify.rm_watch_recursive(watch)

def shutdown():
    stop_watching()
    inotify.close()


try:
    while True:
        isStopping = False

        for event in inotify.read():
            print(f"inotify event in certificate file {event.name}")
            stop_watching()

            # wait a little bit, some files might get written by Caddy
            time.sleep(10)

            print('Sending SIGTERM to PID 1')

            try:
                # with exec in the CMD script PID 1 should be Haraka
                os.kill(1, signal.SIGTERM)
            except OSError:
                print(f"Failed to send SIGTERM signal to PID 1")
            finally:
                isStopping = True
                break

        if isStopping:
            break

except KeyboardInterrupt:
    print(f"Removing watch on directory {DIR}")

finally:
    inotify.close()