Issue #3046
What command to reload certs?
Description
Hi expert,
I would like to handle cert change, which contained in /etc/ipsec.d/certs/.
In https://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand, there is method to reread cacerts, to purge certs, but no method to reread certs.
If there is no such method to handle from no cert to one cert, or from one cert to no cert, or cert change, ipsec service has to be restarted, in such case, unrelevant IPsec/bypass/discard traffic is impacted.
Your comment is very appreciated.
History
#1 Updated by Tobias Brunner over 6 years ago
- Category set to configuration
- Status changed from New to Feedback
First, don't use starter/stroke/ipsec.conf, but swanctl/vici/swanctl.conf instead (see configuration files), where you can load credentials (including end-entity certificates) separately and reloading configs also has not all the same issues it has with ipsec.conf.
In https://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand, there is method to reread cacerts, to purge certs, but no method to reread certs.
That's because these are associated with connections, you have to reload them to load new certificates (and since ipsec update does not notice a changed certificate you have to use ipsec reload, which is not ideal as it replaces all config objects and that can have an impact on existing connections e.g. during rekeying).
ipsec service has to be restarted, in such case, unrelevant IPsec/bypass/discard traffic is impacted.
Restarting is also possible, use the firewall to avoid traffic leaks.
#2 Updated by Tobias Brunner almost 6 years ago
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No feedback