Changing TLS certificate requires server restart

[WGH-]

Honestly, I didn't verify it myself, but that's what I could figure out from the code.

The TLS certificate is loaded here:

synapse/synapse/config/tls.py

Line 27 in 9bba6eb

self.tls_certificate = self.read_tls_certificate(

And then dumped, among other places, here:

synapse/synapse/rest/key/v2/local_key_resource.py

Line 93 in 9bba6eb

x509_certificate_bytes = crypto.dump_certificate(

Assuming config is read once (which also seems true -

synapse/synapse/app/homeserver.py

Line 270 in 88acb99

config = HomeServerConfig.load_or_generate_config(

), it means that when TLS certificate is updated (which can be relatively often with Let's Encrypt, once per several months), server needs to be restarted.

It would be better if certificate can be reloaded without server restart. Server can be signalled with SIGHUP/SIGUSR1/SIGUSR2, or something.

[jrabbit]

I think this is generalizable also the debian package's systemd unit doesn't have any reload function

[MacLemon]

Same goes for the FreeBSD rc.d item. Cannot reload certificate and private keys without fully restarting synapse.

[richvdh]

You can now reload certs with a SIGHUP