Description

We recently deployed successfully Kamailio with TLS certificates. Now we would like to use let's encrypt certificate which expire after 3 months. Means we need to renew certificate approximatively every 2 months. But while reading docs, in known limitations it says :

TLS specific config reloading is not safe, so for now better don't use it, especially under heavy traffic.

We struggle to understand if this behaviour is risky and not recommended under heavy traffic for certificate renewal. The doc has been added initially by @poandrei 18 years ago in Feb 21 2007 (see commit)

While digging we came across few discussions Kamailio user groups which are saying "the opposite" (kind of):

Comments by a co-founder of Kamailio stating that the old connections shouldn’t be affected by reload.
Comments by a Kamailio core developer stating that certificate reload is fine with the “reload” cmd (link1, link2)

Plus in another section in docs:

By definition : (the) existing active TLS connections are not terminated and they continue to use the old certificates. The new configuration will be used for new connections.

So 18 years after, Is it safe to use tls.reload command in production and in heavy traffic for TLS certificate renewal ? Because it sounds scary and confusing.

So the documentation as it is, really needs clarifications to let users know which risk they're taking when running the tls.reload command.

Expected behavior

The document should clearly documents risks, at least for certificate renewal.

Actual observed behavior

Docs and Kamailio user/dev groups are confusing.

—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.