/certinel

A sentry for zero-hit TLS certificate changes in Go

Primary LanguageGoBSD 3-Clause "New" or "Revised" LicenseBSD-3-Clause

certinel Travis CI GoDoc

Certinel is a Go library that makes it even easier to implement zero-hit TLS certificate changes by watching for certificate changes for you. The methods required by tls.Config are already implemented for you.

Right now there's support for listening to file system events on Linux, BSDs, and Windows using the fsnotify library.

Usage

Create the certinel instance, start it with Watch, then pass the GetCertificate method to your tls.Config instance.

package main

import (
	"crypto/tls"
	"log"
	"net/http"

	"github.com/cloudflare/certinel"
	"github.com/cloudflare/certinel/fswatcher"
)

func main() {
	watcher, err := fswatcher.New("/etc/ssl/app.pem", "/etc/ssl/app.key")
	if err != nil {
		log.Fatalf("fatal: unable to read server certificate. err='%s'", err)
	}
	sentinel := certinel.New(watcher, func(err error) {
		log.Printf("error: certinel was unable to reload the certificate. err='%s'", err)
	})

	sentinel.Watch()

	server := http.Server{
		Addr: ":8000",
		TLSConfig: &tls.Config{
			GetCertificate: sentinel.GetCertificate,
		},
	}
	
	server.ListenAndServeTLS("", "")
}