<!--
Kamailio Project uses GitHub Issues only for bugs in the code or feature
requests. Please use this template only for feature requests.
If you have questions about using Kamailio or related to its configuration
file, ask on sr-users mailing list:
*
https://lists.kamailio.org/mailman3/postorius/lists/sr-users.lists.kamailio.org/
If you have questions about developing extensions to Kamailio or its existing C
code, ask on sr-dev mailing list:
*
https://lists.kamailio.org/mailman3/postorius/lists/sr-dev.lists.kamailio.org/
Please try to fill this template as much as possible for any issue. It helps
the developers to troubleshoot the issue.
If you submit a feature request (or enhancement) add the description of what
you would like to be added.
If there is no content to be filled in a section, the entire section can be
removed.
Note that a feature request may be closed automatically after about 2 months
if there is no interest from developers or community users to implement it,
being
considered expired. In such case can be reopened by writing a comment that
includes
the token `/notexpired`. About two weeks before considered expired, the item is
marked with the label `stale`, trying to notify the submitter and everyone else
that might be interested in it. To remove the label `stale`, write a comment
that
includes the token `/notstale`. Also, any comment postpone the `expire`
timeline,
being considered that there is interest in the proposed feature request.
You can delete the comments from the template sections when filling.
You can delete next line and everything above before submitting (it is a
comment).
-->
### Description
We recently deployed successfully Kamailio with TLS certificates. Now we would
like to use let's encrypt certificate which expire after 3 months. Means we
need to renew certificate approximatively every 2 months. But while reading
docs, in [known
limitations](https://kamailio.org/docs/modules/devel/modules/tls.html#tls.known_limitations)
it says :
> TLS specific config reloading is not safe, so for now better don't use it,
> especially under heavy traffic.
We struggle to understand if this behaviour is risky and not recommended under
heavy traffic for certificate renewal. The doc has been added initially by
@poandrei 18 years ago in Feb 21 2007 (see
[commit](https://github.com/kamailio/kamailio/commit/32e4977cdb9c1c9ca24c140a493934f1d2e19fa1#diff-fd9201171a0a5a2ba38e0978db5be5228107718ee3704a21239faf181d71f72aR90))
While digging we came across few discussions Kamailio user groups which are
saying "the opposite" (kind of):
- [Comments by a co-founder of Kamailio
](https://www.mail-archive.com/sr-users@lists.kamailio.org/msg16014.html)stating
that the old connections shouldn’t be affected by reload.
- Comments by a Kamailio core developer stating that certificate reload is fine
with the “reload” cmd
([link1](https://lists.kamailio.org/pipermail/sr-users/2022-February/114296.html),
[link2](https://github.com/kamailio/kamailio/issues/3305))
Plus in another section in docs:
- [By definition
:](https://kamailio.org/docs/modules/devel/modules/tls.html#tls.r.tls.reload)
(the) existing active TLS connections are not terminated and they continue to
use the old certificates. The new configuration will be used for new
connections.
So 18 years after, Is it safe to use `tls.reload` command in production and in
heavy traffic for **TLS certificate renewal** ? Because it sounds scary and
confusing.
So the documentation as it is, really needs clarifications to let users know
which risk they're taking when running the `tls.reload` command.
<!--
Explain what you did, what you expected to happen, and what actually happened.
-->
### Expected behavior
The document should clearly documents risks, at least for certificate renewal.
#### Actual observed behavior
Docs and Kamailio user/dev groups are confusing.
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3717
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/3...@github.com>
_______________________________________________
Kamailio (SER) - Development Mailing List
To unsubscribe send an email to sr-dev-le...@lists.kamailio.org
