Rotate SSL certificates on reload (SIGHUP) without restart

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Bob Ross <[email protected]>
To: [email protected]
Subject: Rotate SSL certificates on reload (SIGHUP) without restart
Date: Thu, 23 Oct 2025 07:02:59 +0200
Message-ID: <CAHtZvrddqfbnERYY_DqgURWCjuXeTjM0y08k-ZP_B0bAHYx2ag@mail.gmail.com> (raw)

Hello,

Please consider adding support for rotating SSL certificates on reloading
pgpool2 (i.e., sending SIGHUP to the pgpool parent), so that certificate
rotations do not require a full service restart. PostgreSQL can pick up new
certificates on reload/SIGHUP; pgpool currently requires a restart, which
causes connection disruptions.

*Current behavior:*

   - Replace certificate/key files used by pgpool (e.g., server.crt,
   server.key, related CA chain).
   - Run systemctl reload pgpool2 (send SIGHUP to the pgpool parent).
   - Observations: Existing and new client connections continue to present
   the old certificate. Only systemctl restart pgpool2 applies the new certs
   (causing connection interruptions).


*Expected behavior:*

   - After systemctl reload pgpool2 / SIGHUP, pgpool should re-read
   SSL-related configuration (server cert, private key, chain/CA, CRL if
   configured) and use them for new client connections, without requiring a
   full restart.
   - Existing connections can continue with the old context; only new
   handshakes should use the updated materials.
   - If reload fails, log a clear error and keep using the previous context
   to avoid breaking clients.
   - Consider parity with PostgreSQL’s SIGHUP behavior for certificate
   reloads where feasible.


Regards,
Bob Ross

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: Rotate SSL certificates on reload (SIGHUP) without restart
  In-Reply-To: <CAHtZvrddqfbnERYY_DqgURWCjuXeTjM0y08k-ZP_B0bAHYx2ag@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox