I'm running a SSL secured HTTP server based on aiohttp's high-level interface. I'm running the server as follows:
ssl_context = ssl.create_default_context()
ssl_context.load_cert_chain(certfile=ssl_certfile, keyfile=ssl_keyfile)
aiohttp.web.run_app(app, ssl_context=ssl_context)
When the SSL certificate is renewed the server does not pick up the renewed server certificate but keeps serving the old certificate.
I don't seem to be able to find any documentation regarding renewal of SSL certs at runtime. How can I replace the server's SSL certificate at runtime?
Have you attempted to just reload a new cert chain into the ssl_context you create when you need to, e.g. with a timed repeating task that checks whether the certfile and keyfile have been changed since they were last loaded?
Based on a peek into the internals...
aiohttp.web.run_app passes the ssl_context down ...BaseSites, which use them when ...asyncio.create_server...... but based on that cursory look I don't think the context ever gets copied in a way that would make that not work.
Failing that, I think you'd have a better time simply restarting the server upon SSL certificate renewal.