Blocky does not pick up the new certificate
izidormatusov opened this issue · 8 comments
Is there a way to get blocky to pick up renewed certificate?
My blocky instance has run for roughly 3 months and the original letsencrypt SSL certificate expired. Blocky did not picked up the renewed certificate, becoming unavailable when serving DNS-over-TLS:
$ doggo @tls://$DOMAIN google.com
time=2024-10-13T15:22:32.213+02:00 level=ERROR msg="error in lookup" error="tls: failed to verify certificate: x509: certificate has expired or is not yet valid: “$DOMAIN” certificate is expired"
NAME TYPE CLASS TTL ADDRESS NAMESERVERBlocky reports the old certificate expiry
$ openssl s_client -showcerts -connect $DOMAIN:853 </dev/null
...
Certificate chain
...
v:NotBefore: Jul 14 18:21:11 2024 GMT; NotAfter: Oct 12 18:21:10 2024 GMTAfter I restarted blocky:
$ openssl s_client -showcerts -connect $DOMAIN:853 </dev/null
...
Certificate chain
...
v:NotBefore: Sep 12 22:56:03 2024 GMT; NotAfter: Dec 11 22:56:02 2024 GMT
which matches the certificate expiry date:
$ openssl x509 -in /var/apps/blocky/certs/fullchain.pem -noout -enddate
notAfter=Dec 11 22:56:02 2024 GMTCould blocky automatically pick up new certificates with long expiry date?
blocky's configuration:
certFile: /var/apps/blocky/certs/fullchain.pem
keyFile: /var/apps/blocky/certs/privkey.pem
ports:
# Disable serving on 53 port
dns: null
# 853 is the standard for DNS-over-TLS
# Android uses DNS-over-TLS
tls: :853
# Port for DNS-over-HTTP
http: 127.0.0.1:{{ blocky_port }}
log:
level: error
privacy: true
upstreams:
init:
strategy: failOnError
groups:
default:
- tcp-tls:1.1.1.1
- tcp-tls:8.8.8.8
blocking:
denylists:
ads:
- https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
- http://sysctl.org/cameleon/hosts
- https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
clientGroupsBlock:
default:
- adsIf using Blocky in the Docker, you can use the restarter sidecar like:
# compose.yml
services
restarter:
image: docker
volumes: ["/var/run/docker.sock:/var/run/docker.sock"]
command: ["/bin/sh", "-c", "while true; do sleep 86400; docker restart <blocky_container_name>; done"]
restart: unless-stopped
blocky:
...
I'm running blocky as a systemd service. I guess I can add a similar cron job that periodically restarts blocky systemd service. It seems like hassle, especially when other software dealing with SSL certificates (e.g. nginx) are able to use the up to date TLS certificates.
Certificate reloading is generally a pain in non cloud-native environment. Relying on cronjob is not sexy. Try considering systemd timers.
Can you clarify why certificate reloading is pain? Quick search shows that the pattern of dynamically reloading SSL certificate is quite common:
- Is there a way to update the TLS certificates in a net/http server without any downtime?
- Kubernetes certwatcher
- Dynamically update TLS certificates in a Golang server without downtime
The patch would require making sure that the certificate is loaded only when the file gets modified. blocky codebase already indirectly depends on fsnotify:
$ go mod why -m github.com/fsnotify/fsnotify
# github.com/fsnotify/fsnotify
github.com/0xERR0R/blocky/log
github.com/x-cray/logrus-prefixed-formatter
github.com/x-cray/logrus-prefixed-formatter.test
github.com/onsi/ginkgo
github.com/onsi/ginkgo/internal/remote
github.com/nxadm/tail
github.com/nxadm/tail/watch
github.com/fsnotify/fsnotify
It's a pain for ops, not developers. So thanks for the cloud-native environment.
I'm running blocky as a systemd service. I guess I can add a similar cron job that periodically restarts blocky systemd service. It seems like hassle, especially when other software dealing with SSL certificates (e.g. nginx) are able to use the up to date TLS certificates.
for systemd its much easier than docker. you can use inotify or systemd.path to monitor file changes
https://www.freedesktop.org/software/systemd/man/latest/systemd.path.html
for those running blocky on docker instead of systemd, you can even use systemd.path to restart the docker service when the file changes on disk