Re: Rotate SSL certificates on reload (SIGHUP) without restart

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Tatsuo Ishii <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: Re: Rotate SSL certificates on reload (SIGHUP) without restart
Date: Tue, 31 Mar 2026 18:48:32 +0900 (JST)
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAHtZvrfap1R6+D=KsfE1iPU6_reGaPyf=m_GryEUNrNWe0KYbg@mail.gmail.com>
References: <[email protected]>
	<[email protected]>
	<CAHtZvrfap1R6+D=KsfE1iPU6_reGaPyf=m_GryEUNrNWe0KYbg@mail.gmail.com>

> Hi Tatsuo,
> 
> I believe no additional changes are needed for healthcheck and streaming
> replication check.
> 
> My patch focuses on the frontend-accept path, where SSL_ServerSide_init()
> maintains a process-wide cached SSL_frontend_context reused across incoming
> TLS handshakes, and therefore must be explicitly refreshed on reload.
> 
> In contrast, the health check (src/main/health_check.c) and the SR check
> worker (src/streaming_replication/pool_worker_child.c) establish outgoing
> connections to PostgreSQL backends via pool_ssl_negotiate_clientserver().
> This invokes init_ssl_ctx() for each new connection, creating a fresh
> SSL_CTX and reading SSL-related settings (ssl_cert, ssl_key, ssl_ca_cert,
> etc.) directly from pool_config at connection time. There is no long-lived
> SSL context to refresh in these processes.
> 
> Given that the SSL configuration parameters are now marked as CFGCXT_RELOAD
> in src/config/pool_config_variables.c, a SIGHUP causes both processes to
> reload pool_config via their respective reload_config() functions. As a
> result, subsequent outgoing backend connections will naturally pick up the
> updated certificate settings.

Thank you for the explanation. Yes, health check and SR check worker
establish connection to backend every time they need. I should have
remembered that.

I am going to write a regression test for this feature unless you are
willing to work on it.

Regards,
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: Rotate SSL certificates on reload (SIGHUP) without restart
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox