I’m using Certbot in a bash script to generate an SSL certificate on the prod server.
In the config I point Phoenix to the generated certificate files:
The Certbot renews the certificate automatically with systemd timers.
I wonder whether Phoenix caches the certificate files specified in the config, so that an app reload is required after automatic certficate renewal?
The ssl application in Erlang/OTP caches certificates and keys read from PEM files and periodically reloads them. If you replace the files, your server will start using the updated ones within a few minutes.
Thanks for the info @voltone! Are you aware of any docs that document this behaviour?
The ssl docs are not very clear about this topic: the caching of PEM files is just mentioned in the docs for the :ssl.clear_pem_cache/0 function, and the
:ssl_pem_cache_clean configuration option.
There is section in the Plug HTTP Guide on Renewing Certificates that goes into some more practical details.