From: Remi Gacogne Date: Thu, 1 Jul 2021 11:54:29 +0000 (+0200) Subject: dnsdist: Add the missing DOHFronted::loadNewCertificatesAndKeys() X-Git-Tag: dnsdist-1.7.0-alpha1~101^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F10550%2Fhead;p=thirdparty%2Fpdns.git dnsdist: Add the missing DOHFronted::loadNewCertificatesAndKeys() --- diff --git a/pdns/dnsdist-lua.cc b/pdns/dnsdist-lua.cc index d15de8aad0..2c4b1c6021 100644 --- a/pdns/dnsdist-lua.cc +++ b/pdns/dnsdist-lua.cc @@ -2312,6 +2312,17 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck) } }); + luaCtx.registerFunction::*)(boost::variant>> certFiles, boost::variant>> keyFiles)>("loadNewCertificatesAndKeys", [](std::shared_ptr frontend, boost::variant>> certFiles, boost::variant>> keyFiles) { +#ifdef HAVE_DNS_OVER_HTTPS + if (frontend != nullptr) { + if (loadTLSCertificateAndKeys("DOHFrontend::loadNewCertificatesAndKeys", frontend->d_tlsConfig.d_certKeyPairs, certFiles, keyFiles)) { + frontend->reloadCertificates(); + } + } +#endif + }); + luaCtx.registerFunction::*)()>("rotateTicketsKey", [](std::shared_ptr frontend) { if (frontend != nullptr) { frontend->rotateTicketsKey(time(nullptr)); @@ -2524,7 +2535,7 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck) luaCtx.registerFunction::*)(boost::variant>> certFiles, boost::variant>> keyFiles)>("loadNewCertificatesAndKeys", [](std::shared_ptr& frontend, boost::variant>> certFiles, boost::variant>> keyFiles) { #ifdef HAVE_DNS_OVER_TLS - if (loadTLSCertificateAndKeys("loadNewCertificatesAndKeys", frontend->d_tlsConfig.d_certKeyPairs, certFiles, keyFiles)) { + if (loadTLSCertificateAndKeys("TLSFrontend::loadNewCertificatesAndKeys", frontend->d_tlsConfig.d_certKeyPairs, certFiles, keyFiles)) { frontend->setupTLS(); } #endif diff --git a/pdns/dnsdistdist/docs/reference/config.rst b/pdns/dnsdistdist/docs/reference/config.rst index 752b1872d8..3a43be4700 100644 --- a/pdns/dnsdistdist/docs/reference/config.rst +++ b/pdns/dnsdistdist/docs/reference/config.rst @@ -1496,6 +1496,15 @@ DOHFrontend This object represents an address and port dnsdist is listening on for DNS over HTTPS queries. + .. method:: DOHFrontend:loadNewCertificatesAndKeys(certFile(s), keyFile(s)) + + .. versionadded:: 1.7.0 + + Create and switch to a new TLS context using the same options than were passed to the corresponding `addDOHLocal()` directive, but loading new certificates and keys from the selected files, replacing the existing ones. + + :param str certFile(s): The path to a X.509 certificate file in PEM format, or a list of paths to such files. + :param str keyFile(s): The path to the private key file corresponding to the certificate, or a list of paths to such files, whose order should match the certFile(s) ones. + .. method:: DOHFrontend:loadTicketsKeys(ticketsKeysFile) Load new tickets keys from the selected file, replacing the existing ones. These keys should be rotated often and never written to persistent storage to preserve forward secrecy. The default is to generate a random key. dnsdist supports several tickets keys to be able to decrypt existing sessions after the rotation. @@ -1559,8 +1568,8 @@ TLSFrontend Create and switch to a new TLS context using the same options than were passed to the corresponding `addTLSLocal()` directive, but loading new certificates and keys from the selected files, replacing the existing ones. - :param str certFile(s): The path to a X.509 certificate file in PEM format, or a list of paths to such files. - :param str keyFile(s): The path to the private key file corresponding to the certificate, or a list of paths to such files, whose order should match the certFile(s) ones. + :param str certFile(s): The path to a X.509 certificate file in PEM format, or a list of paths to such files. + :param str keyFile(s): The path to the private key file corresponding to the certificate, or a list of paths to such files, whose order should match the certFile(s) ones. .. method:: TLSFrontend:loadTicketsKeys(ticketsKeysFile)