HAProxy - Dynamically updating SSL certs without a reload

We currently use HAProxy to manage TLS termination for thousands of domains, all of which have Let's Encrypt certs getting rotated on a regular basis.

The relevant config looks like this:

frontend https-in

    bind *:443 ssl strict-sni no-sslv3 crt /usr/src/data/certs/

and /usr/src/data/certs/ is filled with a bunch of .pem files.

The SSL certs are changing all the time as they individually come up for renewal, or new domains get added/removed from our system. Right now we solve this by doing a bulk write of all the certs to /usr/src/data/certs/ and performing a zero-downtime reload of haproxy. This is cumbersome, as we get a very large memory spike during the reload, as the new instance reads in the full load of certs, and the old instance continues running.

We're currently looking at some of the capabilities of the HAProxy Unix Socket commands, and see the many things we can make dynamic (ACLs, Maps, etc). I'm wondering if there's a similar approach we can take to synchronize certs and avoid the constant reload behavior.

Using HAProxy 1.9 for experimenting, but we're not married to any particular version for this. Thanks for any help or suggestions!

Update I see the docs around manipulating bind here via the data-plane API, but it doesn't indicate explicitly how or when those changes get picked up. Since it includes a boolean for a forced reload (or defaulting to the reload-delay value if set) I'm guessing there's an assumption that at a reload is required.

If anyone has a citation to confirm the assumption this I'd be grateful.

Solution 1:

In HAProxy 2.1 (Nov 2019), a new feature allows you to change TLS certificates without requiring a reload: https://www.haproxy.com/blog/dynamic-ssl-certificate-storage-in-haproxy/