Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w3AWR-000yCs-2P for pgpool-hackers@arkaria.postgresql.org; Thu, 19 Mar 2026 10:22:35 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1w3AWQ-0006yb-2I for pgpool-hackers@arkaria.postgresql.org; Thu, 19 Mar 2026 10:22:34 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w3AWQ-0006yO-1d for pgpool-hackers@lists.postgresql.org; Thu, 19 Mar 2026 10:22:34 +0000 Received: from meldrar.postgresql.org ([2a02:c0:301:0:ffff::31]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1w3AWN-000000017sJ-2fgo for pgpool-hackers@lists.postgresql.org; Thu, 19 Mar 2026 10:22:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=postgresql.org; s=20171124; h=Content-Transfer-Encoding:Content-Type: Mime-Version:References:In-Reply-To:From:Subject:Cc:To:Message-Id:Date:Sender :Reply-To:Content-ID:Content-Description; bh=JiP7OhU5AyCIw1A828AiSN24Wj0pqVnVxydzFo4av1c=; b=CBB9tzEfHghnzsP/j23mk8U0/e apgnZ9GSxFbvHQWx7hwKh085GVucx/y19fHNxCN1UR5KoB5J7paACw9wAsy9qhJjumNVmimVfeaqF 17veVvXIzNfxFyfkkxyXmAClH8JD6djGMUg0of+pr0ln1i/l2BOCtBI3cISmZqH59ohOZBT0OoTdc WSHFseQTAYmLs5NAIWpZ290rbY/p6hXutqFuA6AYhOGYjjS21STKsk9yRG6t1iFRojc0DLm4jZQcg 7CzUxrj3H4J8BaKYfSCigdexAkxjqiXkWFPB10DtltqY3ruxLxkScZH/oGhe55hCQWo7S+kkZzbPS suxG0lqg==; Received: from [2409:11:4120:300:2646:c062:e344:657f] (helo=localhost) by meldrar.postgresql.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w3AWL-003LbP-1N; Thu, 19 Mar 2026 10:22:31 +0000 Date: Thu, 19 Mar 2026 19:22:25 +0900 (JST) Message-Id: <20260319.192225.349123033503761335.ishii@postgresql.org> To: bob.ross.19821@gmail.com Cc: pgpool-hackers@lists.postgresql.org Subject: Re: Rotate SSL certificates on reload (SIGHUP) without restart From: Tatsuo Ishii In-Reply-To: References: <20251024.134447.1860326874693905337.ishii@postgresql.org> X-Mailer: Mew version 6.8 on Emacs 29.3 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Host-Lookup-Failed: Reverse DNS lookup failed for 2409:11:4120:300:2646:c062:e344:657f (failed) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hi Bob, > Hi Tatsuo, > > Have there been any further considerations regarding changes to the pgPool > codebase to support SSL certificate rotation on reload? > > As DigiCert has announced last year ( > https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days), > TLS/SSL certificate lifetimes will be reduced progressively in the coming > years, with the industry moving toward much shorter validity periods. This > makes the current requirement to fully restart the service for certificate > renewal increasingly impractical. > > Please let us know whether this enhancement is being considered, or if > there are any plans or timelines for addressing it. I just have too many things to do for now (fixing bugs and evaluating proposed patches), and I cannot estimate timelines for this. Plus, I am not super familiar with this are (SSL). If you could provide patches for this, it would greatly help me. Best regards, -- Tatsuo Ishii SRA OSS K.K. English: http://www.sraoss.co.jp/index_en/ Japanese:http://www.sraoss.co.jp