Kong ACME plugin: Certificate renewed but not used by Kong

Hi. I’m using this plugin (v0.2.7-1) in DB less mode with Redis.

The plugin renews the certificate correctly. However does not replace the used certificate by Kong (Nginx of course), in other words, when I request the API via browser it still shows the previous certificate not the new one. For that I need to restart Kong (I’m using the docker image v2.0.5 so I restart the Kong container).

This is the expected behavior or the plugin should replace by itself the certificate used by Kong when renews it?

This is my configuration in the declarative file:

  - name: acme
      account_email: <email>
        - <domain>
      renew_threshold_days: 30
      storage: redis
          auth: <pass>
          port: 6379
          database: 0
          host: redis
      tos_accepted: true

In my kong.conf I have:

lua_ssl_trusted_certificate = /etc/ssl/certs/ca-certificates.crt

I already created an issue in Kong ACME plugin: https://github.com/Kong/kong-plugin-acme/issues/53

If its like what we do when we pull down updated CRL file on a nightly cron a kong reload CLI command should do the trick. EDIT - Looks like an internal cache just needed to be updated on the plugin(from the PR), never mind was not related to an underlying nginx directive setting.

Cross posting here: this issue when used in dbless mode on kong 2.0.5 or later has been fixed with plugin version 0.2.12. It will be included in next kong release.

1 Like