renewed identity.server_cert is not auto-loaded

[qrkourier]

These controller logs correlate with issuing a new server cert and placing the chain file in the same location referenced by identity.server_cert. However, the old cert continues to be presented.

Oct 24 17:37:19 mira ziti[302904]: {"file":"github.com/openziti/[email protected]/identity_watcher.go:65","func":"github.com/openziti/identity.(*ID).startWatching.func1","level":"info","msg":"identity file watcher received event, queuing reload: WRITE         \"pki/intermediate/keys/server.key\"","time":"2024-10-24T17:37:19.901Z"}
Oct 24 17:37:19 mira ziti[302904]: {"file":"github.com/openziti/[email protected]/identity_watcher.go:65","func":"github.com/openziti/identity.(*ID).startWatching.func1","level":"info","msg":"identity file watcher received event, queuing reload: WRITE         \"pki/intermediate/keys/server.key\"","time":"2024-10-24T17:37:19.901Z"}
Oct 24 17:37:19 mira ziti[302904]: {"file":"github.com/openziti/[email protected]/identity_watcher.go:65","func":"github.com/openziti/identity.(*ID).startWatching.func1","level":"info","msg":"identity file watcher received event, queuing reload: WRITE         \"pki/intermediate/keys/server.key\"","time":"2024-10-24T17:37:19.901Z"}
Oct 24 17:37:19 mira ziti[302904]: {"file":"github.com/openziti/[email protected]/identity_watcher.go:65","func":"github.com/openziti/identity.(*ID).startWatching.func1","level":"info","msg":"identity file watcher received event, queuing reload: WRITE         \"pki/intermediate/keys/server.key\"","time":"2024-10-24T17:37:19.901Z"}
Oct 24 17:37:19 mira ziti[302904]: {"file":"github.com/openziti/[email protected]/identity_watcher.go:65","func":"github.com/openziti/identity.(*ID).startWatching.func1","level":"info","msg":"identity file watcher received event, queuing reload: WRITE         \"pki/intermediate/certs/server.chain.pem\"","time":"2024-10-24T17:37:19.901Z"}
Oct 24 17:37:20 mira ziti[302904]: {"file":"github.com/openziti/[email protected]/identity.go:364","func":"github.com/openziti/identity.(*ID).queueReload.func1","level":"info","msg":"reloading identity configuration","time":"2024-10-24T17:37:20.903Z"}

Steps to reproduce with the ziti-controller.service from the openziti-controller Linux package.

❯ sudo openssl x509 -noout -fingerprint -in /var/lib/ziti-controller/pki/intermediate/certs/server.chain.pem     
SHA1 Fingerprint=35:24:3C:4F:50:4F:B8:D1:31:3D:77:05:DE:39:FA:CF:E4:80:52:B4

❯ openssl s_client -connect 127.0.0.1:1280 <>/dev/null |& openssl x509 -noout -fingerprint
SHA1 Fingerprint=35:24:3C:4F:50:4F:B8:D1:31:3D:77:05:DE:39:FA:CF:E4:80:52:B4

❯ sudo ziti pki create server \
  --pki-root /var/lib/private/ziti-controller/pki \
  --ca-name intermediate \
  --server-file server \
  --server-name "Ziti Controller" \
  --dns "localhost,client.ziti.example.com" \
  --ip "127.0.0.1,::1" \
--allow-overwrite
Using CA name:  intermediate
Success

❯ sudo openssl x509 -noout -fingerprint -in /var/lib/ziti-controller/pki/intermediate/certs/server.chain.pem
SHA1 Fingerprint=0B:D6:0E:0B:04:B7:DF:B0:30:B4:AA:23:8E:41:48:B3:3F:A1:9A:D5

❯ openssl s_client -connect 127.0.0.1:1280 <>/dev/null |& openssl x509 -noout -fingerprint
SHA1 Fingerprint=35:24:3C:4F:50:4F:B8:D1:31:3D:77:05:DE:39:FA:CF:E4:80:52:B4

❯ sudo systemctl restart ziti-controller.service

❯ openssl s_client -connect 127.0.0.1:1280 <>/dev/null |& openssl x509 -noout -fingerprint
SHA1 Fingerprint=0B:D6:0E:0B:04:B7:DF:B0:30:B4:AA:23:8E:41:48:B3:3F:A1:9A:D5