From 3d890e89f12b1b2494dac7d919c71b397d40d683 Mon Sep 17 00:00:00 2001
From: Nikolay <nik@victoriametrics.com>
Date: Mon, 14 Feb 2022 18:32:13 +0300
Subject: [PATCH] Adds server certificate reload for lib/http (#2186)

* Adds server certificate reload for lib/http
https://github.com/VictoriaMetrics/VictoriaMetrics/issues/2171

* Update lib/httpserver/httpserver.go

Co-authored-by: Aliaksandr Valialkin <valyala@victoriametrics.com>
---
 lib/httpserver/httpserver.go | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/lib/httpserver/httpserver.go b/lib/httpserver/httpserver.go
index 9d40de292e..1952aa3bc2 100644
--- a/lib/httpserver/httpserver.go
+++ b/lib/httpserver/httpserver.go
@@ -97,14 +97,30 @@ func Serve(addr string, rh RequestHandler) {
 	ln := net.Listener(lnTmp)
 
 	if *tlsEnable {
-		cert, err := tls.LoadX509KeyPair(*tlsCertFile, *tlsKeyFile)
+		var certLock sync.Mutex
+		var certDeadline uint64
+		var cert *tls.Certificate
+		c, err := tls.LoadX509KeyPair(*tlsCertFile, *tlsKeyFile)
 		if err != nil {
 			logger.Fatalf("cannot load TLS cert from tlsCertFile=%q, tlsKeyFile=%q: %s", *tlsCertFile, *tlsKeyFile, err)
 		}
+		cert = &c
 		cfg := &tls.Config{
-			Certificates:             []tls.Certificate{cert},
 			MinVersion:               tls.VersionTLS12,
 			PreferServerCipherSuites: true,
+			GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+				certLock.Lock()
+				defer certLock.Unlock()
+				if fasttime.UnixTimestamp() > certDeadline {
+					c, err = tls.LoadX509KeyPair(*tlsCertFile, *tlsKeyFile)
+					if err != nil {
+						return nil, fmt.Errorf("cannot load TLS cert from tlsCertFile=%q, tlsKeyFile=%q: %w", *tlsCertFile, *tlsKeyFile, err)
+					}
+					certDeadline = fasttime.UnixTimestamp() + 1
+					cert = &c
+				}
+				return cert, nil
+			},
 		}
 		ln = tls.NewListener(ln, cfg)
 	}