Dynamic TLS cert reload is not working

praveenthuwat · August 5, 2022, 5:08am

Hi,

Does the temporal server supports auto-detection and reload of renewed TLS certs dynamically(without a node restart)? From our initial testing, it seems like that is not the case. Please can you confirm? also, we want to avoid building and running customized temporal servers, like using the WithTLSConfigFactory server option and building a custom plugin.

Thanks in advance!

tihomir · August 5, 2022, 8:01pm

Setting a custom provider via WithTLSConfigFactory would be the best option at this time.

praveenthuwat · August 9, 2022, 1:46am

Understood, thank you!

Bohdan · August 26, 2025, 4:42pm

Any updates on this topic? Would it be possible to have auto-detection and automatic reloading of renewed TLS certificates without downtime on a self-hosted setup?

antonio.perez · August 27, 2025, 1:11pm

Hi

there is a refreshInterval in the tls section that you can configure

github.com/temporalio/temporal

config/docker.yaml

3f18d9059


      
                        {{- fail "No visibility configured. Cassandra is no longer supported for visibility." -}}
                      {{- end }}
          
          global:
              membership:
                  maxJoinDuration: 30s
                  broadcastAddress: "{{ env "TEMPORAL_BROADCAST_ADDRESS" }}"
              pprof:
                  port: {{ default "0" (env "PPROF_PORT") }}
              tls:
                  refreshInterval: {{ default "0s" (env "TEMPORAL_TLS_REFRESH_INTERVAL") }}
                  expirationChecks:
                      warningWindow: {{ default "0s" (env "TEMPORAL_TLS_EXPIRATION_CHECKS_WARNING_WINDOW") }}
                      errorWindow: {{ default "0s" (env "TEMPORAL_TLS_EXPIRATION_CHECKS_ERROR_WINDOW") }}
                      checkInterval: {{ default "0s" (env "TEMPORAL_TLS_EXPIRATION_CHECKS_CHECK_INTERVAL") }}
                  internode:
                      # This server section configures the TLS certificate that internal temporal
                      # cluster nodes (history, matching, and internal-frontend) present to other
                      # clients within the Temporal Cluster.
                      server:
                          requireClientAuth: {{ default "false" (env "TEMPORAL_TLS_REQUIRE_CLIENT_AUTH") }}

Topic		Replies	Views
Configuring namespace specific TLS certificates dynamically Community Support go-sdk	4	1308	May 28, 2021
Error after upgrading from 1.14.4 to 1.15.2 Community Support tls	1	682	March 16, 2022
Container continuously getting restarted Server Deployment	2	901	April 8, 2024
Write to log if temporal certificate is about to expire Community Support	0	155	April 22, 2024
HELP: How to create a client with TLS Community Support go-sdk	8	3749	May 20, 2022

Dynamic TLS cert reload is not working

Related topics