public inbox for [email protected]
help / color / mirror / Atom feedFrom: Tatsuo Ishii <[email protected]>
To: [email protected]
Subject: pgpool: Feature: reload SSL certificates on SIGHUP without restart.
Date: Sat, 18 Apr 2026 10:05:28 +0000
Message-ID: <[email protected]> (raw)
Feature: reload SSL certificates on SIGHUP without restart.
Allow Pgpool-II to pick up rotated TLS certificates (and any change to
SSL-related configuration) when receiving SIGHUP (i.e. systemctl reload
pgpool2), matching the behavior PostgreSQL has had since PostgreSQL 12.
Problem:
All SSL configuration parameters (ssl_cert, ssl_key, ssl_ca_cert,
ssl_ciphers, etc.) were declared CFGCXT_INIT, meaning they were silently
ignored when pool_get_config() was called under CFGCXT_RELOAD.
Furthermore, SSL_ServerSide_init() was only called once at startup in
main.c and never again, so the in-memory SSL_CTX was never refreshed.
Fix:
1. src/main/pgpool_main.c
- Include utils/pool_ssl.h.
- In reload_config(), call SSL_ServerSide_init() (guarded by
#ifdef USE_SSL) *before* kill_all_children(SIGHUP). The function
already replaces SSL_frontend_context atomically: it frees the old
SSL_CTX only after a new one has been created successfully, so a
failed reload leaves the existing context intact.
2. src/protocol/child.c
- In check_config_reload(), call SSL_ServerSide_init() (guarded by
#ifdef USE_SSL) so each worker child also refreshes its own copy of
the SSL context for subsequent new connections. In-flight TLS
sessions are unaffected because they hold a direct reference to the
SSL object, not to SSL_frontend_context.
3. src/config/pool_config_variables.c
- Change CFGCXT_INIT -> CFGCXT_RELOAD for:
ssl_prefer_server_ciphers, ssl_cert, ssl_key, ssl_ca_cert,
ssl_ca_cert_dir, ssl_crl_file, ssl_ciphers, ssl_ecdh_curve,
ssl_dh_params_file, ssl_passphrase_command.
- The 'ssl' boolean (master enable flag) is intentionally left as
CFGCXT_INIT because dynamically enabling SSL at runtime is a
larger, separate concern.
Usage after this change:
Standard in-place certificate rotation (cert-manager, ACME, manual
openssl refresh at the same path):
# replace /etc/pgpool/server.{crt,key} with new files
systemctl reload pgpool2
# or: pgpool -f /etc/pgpool/pgpool.conf reload
New connections will use the new certificates after workers process
the reload signal. Existing connections are not interrupted.
Switching to a different certificate path also works: update
pgpool.conf then reload — the new paths are now accepted in
CFGCXT_RELOAD context.
Author: Bob Ross <[email protected]>
Reviewed-by: Tatsuo Ishii <[email protected]>
Discussion: https://www.postgresql.org/message-id/flat/CAHtZvrddqfbnERYY_DqgURWCjuXeTjM0y08k-ZP_B0bAHYx2ag%40mai...
Branch
------
master
Details
-------
https://git.postgresql.org/gitweb?p=pgpool2.git;a=commitdiff;h=931a37e7f63fe514e989d427e1b0c2b7f4344...
Modified Files
--------------
doc.ja/src/sgml/ssl.sgml | 64 +++--
doc/src/sgml/ssl.sgml | 60 ++++-
src/config/pool_config_variables.c | 21 +-
src/main/pgpool_main.c | 18 ++
src/protocol/child.c | 12 +
src/test/regression/tests/042.ssl_reload/README | 6 +
.../regression/tests/042.ssl_reload/server.crt | 79 ++++++
.../regression/tests/042.ssl_reload/server.key | 27 ++
.../regression/tests/042.ssl_reload/server.req | 61 +++++
src/test/regression/tests/042.ssl_reload/test.sh | 290 +++++++++++++++++++++
10 files changed, 584 insertions(+), 54 deletions(-)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: pgpool: Feature: reload SSL certificates on SIGHUP without restart.
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox