A Hitless TLS Certificate Rotation Reconciliation Library.
If a certificate got issued, it will have to be rotated.
Rotating TLS certificates manually may quickly get out of hand—particularly when you have to manage hundreds of certificates—and becomes completely unmanageable if you issue certificates that expire within hours, instead of months.
tlsreconciler is here to help with that, by reloading rotated certificate including root CA and provide TLS reconciliation to connections in real time and without restarting the application.
Using tlsreconciler is easy. First, use go get to install the latest version of the library.
go get github.com/shaj13/tlsreconcilerNext, include tlsreconciler in your application:
import (
"github.com/shaj13/tlsreconciler"
)package main
import (
"crypto/tls"
"log"
"net/http"
"os"
"os/signal"
"syscall"
"github.com/shaj13/tlsreconciler"
)
func HelloWorld(w http.ResponseWriter, req *http.Request) {
w.Header().Set("Content-Type", "text/plain")
w.Write([]byte("Hello World.\n"))
}
func main() {
sigc := make(chan os.Signal, 1)
defer close(sigc)
signal.Notify(sigc, syscall.SIGHUP)
// Options
sig := tlsreconciler.WithSIGHUPReload(sigc)
certs := tlsreconciler.WithCertificatesPaths("cert_file", "key_file", "ca_file")
verify := tlsreconciler.WithVerifyConnection()
cb := tlsreconciler.WithOnReload(func(c *tls.Config) {
log.Println("TLS certificates rotated !!")
})
config := tlsreconciler.TLSConfig(sig, certs, verify, cb)
server := http.Server{
Addr: ":443",
Handler: http.HandlerFunc(HelloWorld),
TLSConfig: config,
}
server.ListenAndServeTLS("", "")
}- Fork it
- Download your fork to your PC (
git clone https://github.com/your_username/tlsreconciler && cd tlsreconciler) - Create your feature branch (
git checkout -b my-new-feature) - Make changes and add them (
git add .) - Commit your changes (
git commit -m 'Add some feature') - Push to the branch (
git push origin my-new-feature) - Create new pull request
tlsreconciler is released under the MIT license. See LICENSE