Does etcd support automatic/dynamic server certificate reload?

[rahulbapumore]

Hi @ahrtr ,
I was going through some of the threads regarding dynamically reloading certificates in etcd without restarting,
I got following merge fix which allows etcd to reload all certificates dynamically -
4a48ba1

But when I checked etcd 3pp source code, area around change is done , it looks like only peer/client certificates reloading happens dynamically. So my question is that does etcd support dynamic certificate reloading of server certificates?
One more thing to mention - (client_cert_auth is anabled here).

Thanks,
Rahul

[rahulbapumore]

Hi @ahrtr ,
Also Would you be able to help with which code/function/file inside etcd 3pp code is responsible for dynamically reloading of Server certs.

Thanks

[ahrtr]

Yes, etcd supports dynamically reloading certificates. Each time when etcdserver receives a new connection, it reloads the certificate automatically via the GetCertificate, but it will not affect the ongoing client connections/requests.

For example,

1. Assuming client1 connects to the etcdserver, and keep reading or writing data;
2. You manually changed the etcdserver's certificate (--cert-file) or key (--key-file);
3. Run the client program in another terminal, you will see error message something like below on server side, the client side gets context deadline exceeded error.

{"level":"warn","ts":"2023-03-11T06:37:38.996398+0800","caller":"embed/config_logging.go:187","msg":"rejected connection","remote-addr":"127.0.0.1:52746","server-name":"","error":"tls: private key does not match public key"}

4. But the client program started at step 1 will still be working well.

[ahrtr]

Note that we can improve the certificate reloading process a little bit. It doesn't make sense to reload the certificate each time on receiving a connection, even there is no change on the files. Instead, a better way is to reload the certificate files on receiving SIGHUP signal.