Certinel is a Go library that makes it even easier to implement zero-hit
TLS certificate changes by watching for certificate changes for you. The
methods required by tls.Config
are already implemented for you.
Right now there's support for listening to file system events on Linux, BSDs, and Windows using the fsnotify library.
Create the certinel instance, start it with Watch
, then pass the
GetCertificate
method to your tls.Config
instance.
package main
import (
"crypto/tls"
"log"
"net/http"
"github.com/cloudflare/certinel"
"github.com/cloudflare/certinel/fswatcher"
)
func main() {
watcher, err := fswatcher.New("/etc/ssl/app.pem", "/etc/ssl/app.key")
if err != nil {
log.Fatalf("fatal: unable to read server certificate. err='%s'", err)
}
sentinel := certinel.New(watcher, func(err error) {
log.Printf("error: certinel was unable to reload the certificate. err='%s'", err)
})
sentinel.Watch()
server := http.Server{
Addr: ":8000",
TLSConfig: &tls.Config{
GetCertificate: sentinel.GetCertificate,
},
}
server.ListenAndServeTLS("", "")
}