Planning our TLS implementation. So far everything is working great.
We’re using certificates that expire in 90 days, and are automatically renewed.
In my pjsip transport, when allow_reload=yes, will Asterisk load new certificates if they’ve been updated? Same filenames.
The only documentation I can find says that a full restart is required, which we can’t gracefully accomplish operating 24x7 across 6 timezones.
All TLS usage in Asterisk, be it the core implementation or the PJSIP side implementation, currently require restarting Asterisk. I don’t believe anyone has undertaken a project to change this.
To test, I revoked a certificate, without restarting asterisk, pjproject did throw an error and refused to complete the call:
[Apr 16 14:26:00] ERROR: pjproject: <?>: ssl0x7fdb40035de0 Error loading certificate chain file 'my_certificate.pem': No such file or directory
So that’s good.
When I re-issued the certificate, without restarting asterisk, it started completing calls again.
So perhaps pjproject loads the cert at every call?
I’m going to see if I can issue a very short certificate and do some additional testing for when it expires.
Maybe, although that’d be… interesting…
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.