Skip to content

Check certFile modification time instead of keyFile#3178

Merged
rossnelson merged 1 commit intomainfrom
fix/tls-cert-file-mtime
Apr 22, 2026
Merged

Check certFile modification time instead of keyFile#3178
rossnelson merged 1 commit intomainfrom
fix/tls-cert-file-mtime

Conversation

@rossnelson
Copy link
Copy Markdown
Collaborator

@rossnelson rossnelson commented Feb 24, 2026

Summary

  • Check certFile modification time instead of keyFile when detecting certificate changes
  • When a certificate is renewed using the same key, the key file remains unchanged — so the old cert was never reloaded
  • Adds test case for cert renewal with key reuse

Based on #2805 by @ndtretyak.

Test plan

  • Existing test passes (regenerate both cert and key)
  • New test passes (regenerate only cert with same key)

@rossnelson rossnelson requested a review from a team as a code owner February 24, 2026 14:29
@rossnelson rossnelson requested review from andrewzamojc and removed request for a team February 24, 2026 14:29
@vercel
Copy link
Copy Markdown

vercel Bot commented Feb 24, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
holocene Ready Ready Preview, Comment Apr 8, 2026 3:06pm

Request Review

@rossnelson rossnelson mentioned this pull request Feb 24, 2026
Closed
3 tasks
@rossnelson
Check certFile modification time instead of keyFile
52a9425 
The certLoader was using keyFile's modification time to detect
certificate changes. When a certificate is renewed using the same key,
the keyFile remains unchanged and the new cert is never loaded.

This switches to checking certFile's modification time, which correctly
detects renewals regardless of whether the key was rotated.

Based on #2805 by @ndtretyak.
@rossnelson rossnelson force-pushed the fix/tls-cert-file-mtime branch from 4fc601e to 52a9425 Compare April 8, 2026 15:05
@rossnelson rossnelson merged commit 0726c65 into main Apr 22, 2026
16 checks passed
@rossnelson rossnelson deleted the fix/tls-cert-file-mtime branch April 22, 2026 14:11
@temporal-cicd temporal-cicd Bot mentioned this pull request Apr 22, 2026
Merged
rossedfort added a commit that referenced this pull request Apr 22, 2026
@temporal-cicd @rossedfort
chore: bump version to 2.49.0 (#3337)
7522f27 
Auto-generated version bump from 2.48.4 to 2.49.0

Bump type: minor

Changes included:
- [`9146199f`](9146199) fix: ref main in reusable PR review workflows (#3326)
- [`ca904926`](ca90492) test(e2e): add end-to-end payload decoder coverage (#3321)
- [`4e32d230`](4e32d23) chore: add setup-worktree skill (#3278)
- [`a789fbdb`](a789fbd) Fix decoding payloads for user metadata (#3328)
- [`21f2d448`](21f2d44) ci: remove unused Set up Protoc step from workflows (#3323)
- [`39c41d25`](39c41d2) fix(ui): guard getApiOrigin against undefined VITE_API (#3332)
- [`627cbb1b`](627cbb1) feat: add showInstancesLink prop to deployment header (#3331)
- [`0726c65e`](0726c65) Check certFile modification time instead of keyFile (#3178)
- [`8c79931b`](8c79931) feat(DT-3887): remove Dispatch Rate Epsilon from compute scaling UI (#3334)

Co-authored-by: rossedfort <11775628+rossedfort@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@laurakwhit laurakwhit laurakwhit approved these changes

@andrewzamojc andrewzamojc Awaiting requested review from andrewzamojc andrewzamojc is a code owner automatically assigned from temporalio/frontend-engineering

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rossnelson @laurakwhit