Vault binary: reread certificate file without restart / unseal?


our test environment has been running for a few months now. The time will come when the certificates for encrypting port 8200 itself will expire. No problem generating new ones. But can I swap them without restarting? I want to avoid the unseal process.

Thanks for answers

Iā€™m not sure if Vault reloads TLS certificates when receiving SIGHUP. There has been some discussion about it, but maybe someone knows whats the latest status on this:

On SIGHUP, the path set here at Vault startup will be used for reloading the certificate

See here for full details:

1 Like

Awesome, thank you, @mikegreen!

Thanks so much! This makes thinks more easy.

yes, works wonderfully. Only Firefox still shows the old certificate / expiration date after a SIGHUP to the process and a reload of the page. But openssl direct on the port shows the new data. I was confused for a moment.

root@hermes:~# echo "" | openssl s_client -connect localhost:8200 | openssl x509 -in /dev/stdin -noout -startdate
notBefore=May 29 11:46:47 2021 GMT

This makes live very easy.