Here is the test I did. I hardcoded a refresh interval of 5 seconds for the `Refresh` thread of `XrdTlsContext`. I generated an expired certificate and started a XRootD server with HTTP enabled. I initiated a HTTP transfer with curl and I got the answer from the server that the certificate expired: ``` $ head -c 5M /dev/urandom > /tmp/bigfile_5M $ curl -v --capath /etc/grid-security/certificates --cert ~/.globus/usercert.pem --key ~/.globus/userkey.pem --cacert ~/.globus/usercert.pem -X GET https://xrootd-ccaffy-dev01.cern.ch:1096/tmp/bigfile_5M 2>&1 >/dev/null [...] curl: (60) Peer's Certificate has expired [...] ``` While the server is running, I generated a new certificate that expires in more than one year, waited for the CRL refresh thread to run and re-launched a file transfer with curl: ``` $ head -c 5M /dev/urandom > /tmp/bigfile_5M $ curl -v --capath /etc/grid-security/certificates --cert ~/.globus/usercert.pem --key ~/.globus/userkey.pem --cacert ~/.globus/usercert.pem -X GET https://xrootd-ccaffy-dev01.cern.ch:1096/tmp/bigfile_5M 2>&1 >/dev/null [...] curl: (60) Peer's Certificate has expired [...] ``` Same result. so the certificate is not renewed automatically by the XrootD HTTP server. -- Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1678#issuecomment-1234150526 You are receiving this because you commented. Message ID: <[log in to unmask]> ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1