Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nginx_proxy: make existing "cert update watcher" script cron.daily instead of cron.hourly? #3128

Closed
thegareth opened this issue Jul 8, 2023 · 1 comment
Closed

nginx_proxy: make existing "cert update watcher" script cron.daily instead of cron.hourly? #3128

thegareth opened this issue Jul 8, 2023 · 1 comment
Labels
stale

Comments

@thegareth
Copy link

thegareth commented Jul 8, 2023
edited

Describe the issue you are experiencing

I use step-ca to issue certs for my internal sites, and it issues very short-lived certs of 1 day, rather than 90 days you'd get via lets encrypt.

I currently handle that by triggering a service reload to make it notice the change, but that creates a brief outage while that happens.

I was digging around in the plugin, and I noticed that it does check for the certs being updated, using a file date operations, making it very efficient. (nginx_proxy/rootfs/etc/periodic/daily/check_certificate_renewal).

If I just relied on that 'daily' seamless reload, I could experience short periods where the certificate expires, because it was renewed 30 minutes prior to the reload script running...

If that efficient script was hourly instead of daily, I'd not have to manually restart nginx service at all, and could run the heavier cert renew operation every 6 hours... with no downtime to the frontend

What type of installation are you running?

Home Assistant OS

Which operating system are you running on?

Home Assistant Operating System

Which add-on are you reporting an issue with?

NGINX Home Assistant SSL proxy

What is the version of the add-on?

3.5.0

Steps to reproduce the issue

  1. use a short-lived CA to retrieve a cert (that lasts 24 hours)
  2. rely on the existing daily reload mechanisms (nginx_proxy/rootfs/etc/periodic/daily/check_certificate_renewal)
  3. experience a race condition where the certificate wasn't updated in time, and certificate expires)

System Health information

There are currently no repairs available

Anything in the Supervisor logs that might be useful for us?

No response

Anything in the add-on logs that might be useful for us?

No response

Additional information

If this was acceptable I could likely do a PR for it.
@github-actions
Copy link

github-actions bot commented Aug 7, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the stale label Aug 7, 2023
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Aug 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@thegareth