Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgpool-hackers-owner+archive@lists.postgresql.org>)
	id 1vBooo-005Z8c-1d
	for pgpool-hackers@arkaria.postgresql.org; Thu, 23 Oct 2025 06:29:01 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgpool-hackers-owner+archive@lists.postgresql.org>)
	id 1vBono-005e3X-MZ
	for pgpool-hackers@arkaria.postgresql.org; Thu, 23 Oct 2025 06:27:59 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <bob.ross.19821@gmail.com>)
	id 1vBnTo-004d6a-3Z
	for pgpool-hackers@lists.postgresql.org; Thu, 23 Oct 2025 05:03:15 +0000
Received: from mail-lj1-x232.google.com ([2a00:1450:4864:20::232])
	by makus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <bob.ross.19821@gmail.com>)
	id 1vBnTl-003HfD-1f
	for pgpool-hackers@lists.postgresql.org;
	Thu, 23 Oct 2025 05:03:14 +0000
Received: by mail-lj1-x232.google.com with SMTP id
 38308e7fff4ca-378cfbf83f2so4927881fa.1
        for <pgpool-hackers@lists.postgresql.org>;
 Wed, 22 Oct 2025 22:03:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1761195792; x=1761800592;
 darn=lists.postgresql.org;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=ilfYRhIiIdGc5I2oYyEv6tmjaC9yR3rtvLm0nsF6Gpg=;
        b=RXqIdMC8BjdTl9nenidQ7Xu2wWdXaRaLDXOKw/2EVb/eSW/OVu5t8asvrQKQ8ub+DU
         7IWw5nuy4GQFV5u50PItMi2VOGk6o9ga6EyCvrQIfwxBCbOqsMX/c22/zPHC3d3j1y6I
         h6DVTOBl7/BpRWp7eae2ujprHoym+CLfYuQXWiir1yHv/jTEsn9cCdhGHmi/a2gI/MXd
         GyBoqTKAb1yhaRUy0y1ZxItFBVetlGoXjqPXXLqLuoBTckpp5IOqs0kW7oFtl0zzcXwI
         ZHwFsEFjRMsktqcLz0KAgiFKKIXf9IpsLnaa2IVobO/Rg7QJPijfzipPcJc2cEI9oPz6
         T9Rg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761195792; x=1761800592;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=ilfYRhIiIdGc5I2oYyEv6tmjaC9yR3rtvLm0nsF6Gpg=;
        b=Ym+TCyhAJlT9h1zGfDk8dLYzNR61EnYYAHu1fXSX5fHWzc0zd2bss2A2t5h/d6YzqH
         7e87/vo7iydWUD4phYElcpiy1EyK1HzLE2bD/+Sfjh5jqZHJZ0fo7wjEOiNt7K5xxggt
         3Zc8T51GyJwIu7IYwBPqew1C3K6qXJKeHlMj072VyIreKdg6nHAQ1JqY0WW0/xZcDhoR
         854uqx4Z4+gZI283DoR28teJHtwQ/x7f4nqpamceZT45rnyAbs8d3DSIr136a9CCXbSZ
         uZRc0dnW8rrerWElvQ9H+oiYjr4uGc1AxZgbupoOKm4ppf3wj0mdmt7hbIjLFWK1XrRp
         TGqw==
X-Gm-Message-State: AOJu0YzBqMFkmE1lhjuV7gn/4JxjbMZ8cG+2tHstp6wqJUDJHvyLFkA5
	0aemMxlhLf4zVu3vZq/VSe4pPV634xIVKFz2g1EX4rRxcfj/7TlkmclHEpZha6mhvzLtBn/6I5a
	QDr6xMEUp/WI7HGLNE2/IlTUHN0KrjQBVZewd
X-Gm-Gg: ASbGncskqG5V1BTgauEobzace27Xa+onaZTsxgSwPWZxDYTxUQ9UTKWesZhlAV+pggm
	ddh+JCaoSpL7VW3p2ow7bvHcDpcKpYcANqSoHb1AnHQhnConxK/1fDrl4WjijeFP5wLeOkQTthh
	evtAmJWmqTuEJPPnOjdhTXGGL+MDHd4VxRQcoIdDT7zu0G9Su6GIncCiv6axxcImGjrnY86IV8e
	L3Ko/TFmZtKpJMjWZDOrD/fNJedeySqlzFO9PlMPp2RLeIGTUioWjeleyuAXwNY
X-Google-Smtp-Source: 
 AGHT+IHvq3RWhVW1u42dBTKcD0gpxg3weOp7RITIoQJ42OkH6ukD/ZmP5h24A5gFLFpAG0xLZbDDfSSu1KnBna81FMg=
X-Received: by 2002:a2e:a816:0:b0:36c:3b69:2cc7 with SMTP id
 38308e7fff4ca-37797693755mr66091791fa.0.1761195791601; Wed, 22 Oct 2025
 22:03:11 -0700 (PDT)
MIME-Version: 1.0
From: Bob Ross <bob.ross.19821@gmail.com>
Date: Thu, 23 Oct 2025 07:02:59 +0200
X-Gm-Features: AS18NWByTDS5g44NntkN6fZinuWp6dJwkcz-0FRZ7F_IIFnBNZhMsrC0zOAycIQ
Message-ID: 
 <CAHtZvrddqfbnERYY_DqgURWCjuXeTjM0y08k-ZP_B0bAHYx2ag@mail.gmail.com>
Subject: Rotate SSL certificates on reload (SIGHUP) without restart
To: pgpool-hackers@lists.postgresql.org
Content-Type: multipart/alternative; boundary="00000000000089d33a0641cc59ca"
List-Id: <pgpool-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgpool-hackers@lists.postgresql.org>
List-Owner: <mailto:pgpool-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgpool-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/CAHtZvrddqfbnERYY_DqgURWCjuXeTjM0y08k-ZP_B0bAHYx2ag%40mail.gmail.com>
Precedence: bulk

--00000000000089d33a0641cc59ca
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hello,

Please consider adding support for rotating SSL certificates on reloading
pgpool2 (i.e., sending SIGHUP to the pgpool parent), so that certificate
rotations do not require a full service restart. PostgreSQL can pick up new
certificates on reload/SIGHUP; pgpool currently requires a restart, which
causes connection disruptions.

*Current behavior:*

   - Replace certificate/key files used by pgpool (e.g., server.crt,
   server.key, related CA chain).
   - Run systemctl reload pgpool2 (send SIGHUP to the pgpool parent).
   - Observations: Existing and new client connections continue to present
   the old certificate. Only systemctl restart pgpool2 applies the new cert=
s
   (causing connection interruptions).


*Expected behavior:*

   - After systemctl reload pgpool2 / SIGHUP, pgpool should re-read
   SSL-related configuration (server cert, private key, chain/CA, CRL if
   configured) and use them for new client connections, without requiring a
   full restart.
   - Existing connections can continue with the old context; only new
   handshakes should use the updated materials.
   - If reload fails, log a clear error and keep using the previous context
   to avoid breaking clients.
   - Consider parity with PostgreSQL=E2=80=99s SIGHUP behavior for certific=
ate
   reloads where feasible.


Regards,
Bob Ross

--00000000000089d33a0641cc59ca
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hello,<div><br></div><div>Please consider adding support f=
or rotating SSL certificates on reloading pgpool2 (i.e., sending SIGHUP to =
the pgpool parent), so that certificate rotations do not require a full ser=
vice restart. PostgreSQL can pick up new certificates on reload/SIGHUP; pgp=
ool currently requires a restart, which causes connection disruptions.<br><=
br><b>Current behavior:</b><br><ul><li>Replace certificate/key files used b=
y pgpool (e.g., server.crt, server.key, related CA chain).</li><li>Run syst=
emctl reload pgpool2 (send SIGHUP to the pgpool parent).</li><li>Observatio=
ns: Existing and new client connections continue to present the old certifi=
cate. Only systemctl restart pgpool2 applies the new certs (causing connect=
ion interruptions).</li></ul><b><br></b></div><div><b>Expected behavior:</b=
><br><ul><li>After systemctl reload pgpool2 / SIGHUP, pgpool should re-read=
 SSL-related configuration (server cert, private key, chain/CA, CRL if conf=
igured) and use them for new client connections, without requiring a full r=
estart.</li><li>Existing connections can continue with the old context; onl=
y new handshakes should use the updated materials.</li><li>If reload fails,=
 log a clear error and keep using the previous context to avoid breaking cl=
ients.</li><li>Consider parity with PostgreSQL=E2=80=99s SIGHUP behavior fo=
r certificate reloads where feasible.</li></ul></div><div><br></div><div>Re=
gards,</div><div>Bob Ross</div></div>

--00000000000089d33a0641cc59ca--