Re: Rotate SSL certificates on reload (SIGHUP) without restart

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Bob Ross <[email protected]>
To: Tatsuo Ishii <[email protected]>
Cc: [email protected]
Subject: Re: Rotate SSL certificates on reload (SIGHUP) without restart
Date: Wed, 25 Mar 2026 12:04:03 +0100
Message-ID: <CAHtZvrdud7gjX9pq7ayU2VBQkCosZ7qcx6L9r-KbQkqKW_D9eQ@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <CAHtZvrddqfbnERYY_DqgURWCjuXeTjM0y08k-ZP_B0bAHYx2ag@mail.gmail.com>
	<[email protected]>
	<CAHtZvrdYG5ebRkZF+tZOqOEZ4WMjMjAC8efiKBRKQua2JHpJ9g@mail.gmail.com>
	<[email protected]>

Hi Tatsuo,

Please find the attached patch that implements this feature. This patch
allows Pgpool-II to pick up rotated TLS certificates upon receiving a
SIGHUP without a restart, aligning its behavior with PG 12+.
As this is my first time contributing to the Pgpool-II project, please bear
with me if I missed any specific formatting or submission conventions. I am
happy to make any necessary adjustments to the code.

Thanks,
Bob

On Thu, Mar 19, 2026 at 11:22 AM Tatsuo Ishii <[email protected]> wrote:

> Hi Bob,
>
> > Hi Tatsuo,
> >
> > Have there been any further considerations regarding changes to the
> pgPool
> > codebase to support SSL certificate rotation on reload?
> >
> > As DigiCert has announced last year (
> >
> https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days
> ),
> > TLS/SSL certificate lifetimes will be reduced progressively in the coming
> > years, with the industry moving toward much shorter validity periods.
> This
> > makes the current requirement to fully restart the service for
> certificate
> > renewal increasingly impractical.
> >
> > Please let us know whether this enhancement is being considered, or if
> > there are any plans or timelines for addressing it.
>
> I just have too many things to do for now (fixing bugs and evaluating
> proposed patches), and I cannot estimate timelines for this. Plus, I
> am not super familiar with this are (SSL). If you could provide
> patches for this, it would greatly help me.
>
> Best regards,
> --
> Tatsuo Ishii
> SRA OSS K.K.
> English: http://www.sraoss.co.jp/index_en/
> Japanese:http://www.sraoss.co.jp
>


Attachments:

  [application/octet-stream] 0001-feat-reload-SSL-certificates-on-SIGHUP.c (7.2K, 3-0001-feat-reload-SSL-certificates-on-SIGHUP.c)
  download

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: Rotate SSL certificates on reload (SIGHUP) without restart
  In-Reply-To: <CAHtZvrdud7gjX9pq7ayU2VBQkCosZ7qcx6L9r-KbQkqKW_D9eQ@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox