public inbox for [email protected]
help / color / mirror / Atom feedFrom: Tatsuo Ishii <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: Re: Rotate SSL certificates on reload (SIGHUP) without restart
Date: Fri, 24 Oct 2025 13:44:47 +0900 (JST)
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAHtZvrddqfbnERYY_DqgURWCjuXeTjM0y08k-ZP_B0bAHYx2ag@mail.gmail.com>
References: <CAHtZvrddqfbnERYY_DqgURWCjuXeTjM0y08k-ZP_B0bAHYx2ag@mail.gmail.com>
> Hello,
>
> Please consider adding support for rotating SSL certificates on reloading
> pgpool2 (i.e., sending SIGHUP to the pgpool parent), so that certificate
> rotations do not require a full service restart. PostgreSQL can pick up new
> certificates on reload/SIGHUP; pgpool currently requires a restart, which
> causes connection disruptions.
>
> *Current behavior:*
>
> - Replace certificate/key files used by pgpool (e.g., server.crt,
> server.key, related CA chain).
> - Run systemctl reload pgpool2 (send SIGHUP to the pgpool parent).
> - Observations: Existing and new client connections continue to present
> the old certificate. Only systemctl restart pgpool2 applies the new certs
> (causing connection interruptions).
Yes, that's the current behavior as described in the docs.
> *Expected behavior:*
>
> - After systemctl reload pgpool2 / SIGHUP, pgpool should re-read
> SSL-related configuration (server cert, private key, chain/CA, CRL if
> configured) and use them for new client connections, without requiring a
> full restart.
Doable but needs major surgery to the SSL subsystem
(src/utils/pool_ssl.c) as it assumes that SSL configurations are never
changed until restarting.
> - Existing connections can continue with the old context; only new
> handshakes should use the updated materials.
Probably doable.
> - If reload fails, log a clear error and keep using the previous context
> to avoid breaking clients.
> - Consider parity with PostgreSQL’s SIGHUP behavior for certificate
> reloads where feasible.
Not sure if it's doable. Needs more research on current code.
BTW, PostgreSQL behaves interestingly.
# "server.key" is the correct ssl_key_file.
test=# show ssl_key_file;
ssl_key_file
--------------
server.key
(1 row)
test=# \q
t-ishii$ psql -p 11002 -h localhost test
psql (18.0)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off, ALPN: postgresql)
Type "help" for help.
# Change ssl_key_file to "server.key1" which does not exists.
# and reload
t-ishii$ pg_ctl -D data0 reload
server signaled
# keep on using SSL connection
t-ishii$ psql -p 11002 -h localhost test
psql (18.0)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off, ALPN: postgresql)
Type "help" for help.
# It seems PostgreSQL keep on using th previous ssl_key_file value,
# but it shows the new ssl_key_file value.
test=# show ssl_key_file;
ssl_key_file
--------------
server.key1
(1 row)
Best regards,
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Rotate SSL certificates on reload (SIGHUP) without restart
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox