Describe the bug
When run in server mode, it loads the certificate and starts to watch them for changes. However, it fails to detect when the certificate is renewed using the standard letsencrypt's certbot. Perhaps it happens because certbot uses symlinks to actual certificate files in order to keep the certificate history in /etc/letsencrypt/archive/....
To Reproduce
start wstunnel with server and provide the certificate in /etc/letsencrypt/live/xx.com/fullchain.pem path. This file is a symlink with a known canonical path, actual certificate files are kept in /etc/letsencrypt/archive/xx.com/... with random different names, so they cannot be fed to wstunnel directly.
Expected behavior
Wstunnel should correctly detect when certificate contents are changed and reload it. Perhaps it needs scanning, if inotfy fails to generate a corresponding event when certbot updates the symlink or whatever.
Desktop (please complete the following information):
Additional context
2026-04-12T21:48:04.824552Z INFO wstunnel::protocols::tls::server: Loading tls private key from "/etc/letsencrypt/live/xxx.com/privkey.pem"
2026-04-12T21:48:04.825742Z INFO wstunnel: Starting wstunnel server v10.5.0 with config WsServerConfig { socket_so_mark: SoMark { inner: None }, bind: x.x.x.x:x, websocket_ping_frequency: Some(30s), timeout_connect: 10s, websocket_mask_frame: false, restriction_config: None, tls: true, remote_server_idle_timeout: 180s, mTLS: false }
2026-04-12T21:48:04.826301Z INFO wstunnel::tunnel::server::server: Starting wstunnel server listening on x.x.x.x:x
2026-04-12T21:48:04.827029Z INFO wstunnel::tunnel::tls_reloader: Starting to watch tls certificates and private key for changes to reload them
Describe the bug
When run in server mode, it loads the certificate and starts to watch them for changes. However, it fails to detect when the certificate is renewed using the standard letsencrypt's
certbot. Perhaps it happens because certbot uses symlinks to actual certificate files in order to keep the certificate history in/etc/letsencrypt/archive/....To Reproduce
start wstunnel with
serverand provide the certificate in/etc/letsencrypt/live/xx.com/fullchain.pempath. This file is a symlink with a known canonical path, actual certificate files are kept in/etc/letsencrypt/archive/xx.com/...with random different names, so they cannot be fed to wstunnel directly.Expected behavior
Wstunnel should correctly detect when certificate contents are changed and reload it. Perhaps it needs scanning, if inotfy fails to generate a corresponding event when certbot updates the symlink or whatever.
Desktop (please complete the following information):
Additional context