ability to reload ssl certificate on certificate change
I was looking into doing this automatically but seems there is no cohesive way within knot-resolver. Played around with using the control socket options, but it's a bit messy...e.g. use:
net.close('0.0.0.0')
http.config({tls = true, cert = "<CERT>", key = "<KEY>"}, '<webmgmt|doh>') --for DoH|webmgmt
net.listen('0.0.0.0', 53, { kind = 'dns' })
net.listen('0.0.0.0', 443, { kind = 'doh' })
net.listen('0.0.0.0', 853, { kind = 'tls' })
net.listen('0.0.0.0', 8453, { kind = 'webmgmt' })
net.tls("<CERT>", "<KEY>") --for DoT
But, if knot-resolver is running as unprivileged user then it can't rebind to privileged ports. And this needs to be scripted somehow.
An alternative way would be for the process that creates the new SSL certificates to restart knot-resolver but then that process would need to run as root.
So for now, I'm using a custom systemd path / service combo to monitor certificate file for any changes and then reload knot-resolver that way.
Would be keen to know of any thoughts to simplyfy this, or even the ability to reload the certificate could be added into knot-resolver itself - I know rpz files are monitored and reloaded when changed so this seems somewhat similar.