public inbox for [email protected]
help / color / mirror / Atom feedFrom: Tatsuo Ishii <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: Re: Rotate SSL certificates on reload (SIGHUP) without restart
Date: Fri, 17 Apr 2026 20:06:56 +0900 (JST)
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAHtZvrcgCbM8=xTdxhdm_qOnQ4=ttAJpB_amTdG8r4NzcukYAQ@mail.gmail.com>
References: <CAHtZvreKzO3fwfWZfmSPKjc0qN4P5bsvGMLhCir6gSK8pOFnXQ@mail.gmail.com>
<[email protected]>
<CAHtZvrcgCbM8=xTdxhdm_qOnQ4=ttAJpB_amTdG8r4NzcukYAQ@mail.gmail.com>
Hi Bob,
> Hi Tatsuo,
>
> I've fixed the test failure. The issue was that the original test used the
> static self-signed server.crt as the CA bundle. When ssl_ca_cert is set,
> pgpool verifies the backend certificate against it, and the self-signed
> cert failed that check. The fix generates a dedicated server CA in the test
> and issues a backend cert signed by it, so pgpool can always verify the
> backend while ca1/ca2 are independently swapped to test client-cert trust
> rotation.
That makes sense.
> The test now passes:
>
>
>
>
>
> *CA cert swap: CA1-signed client cert accepted before reload – ok.CA cert
> swap: CA1-signed client cert rejected after reload to CA2 – ok.testing
> 042.ssl_reload...ok.out of 1 ok:1 failed:0 timeout:0*
>
> pgpool.log showing client cert accepted before reload:
>
>
>
>
> *2026-04-17 09:23:31.449: child pid 81378: DEBUG: got the SSL
> certificate2026-04-17 09:23:31.449: child pid 81378: DETAIL: Protocol
> Major: 3 Minor: 0 database: test user: ssltest2026-04-17 09:23:31.450:
> child pid 81378: DETAIL: client->server SSL response: S2026-04-17
> 09:23:31.455: child pid 81378: DETAIL: auth kind:0*
>
> SSL certificate reload completed:
>
> *2026-04-17 09:23:31.471: main pid 81347: LOG: reload SSL certificates.*
>
> pgpool.log showing client cert rejected after reload:
>
>
>
> *2026-04-17 09:23:32.485: psql pid 81385: DETAIL: SSLRequest from
> client2026-04-17 09:23:32.493: psql pid 81385: LOG: pool_ssl:
> "SSL_accept": "certificate verify failed"2026-04-17 09:23:32.493: psql pid
> 81385: ERROR: failed while reading startup packet*
>
> No changes to the core patch.
> The updated v4 is attached.
Now the test succeeded here. Many thanks. I will push the patch
tomorrow.
Regards,
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Rotate SSL certificates on reload (SIGHUP) without restart
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox