From: | Bruce Momjian <bruce(at)momjian(dot)us> |
---|---|
To: | Donald Stufft <donald(at)stufft(dot)io> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Gracefully Reload SSL Certificates |
Date: | 2015-04-08 22:35:58 |
Message-ID: | 20150408223558.GD22805@momjian.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Wed, Apr 8, 2015 at 11:48:11AM -0400, Donald Stufft wrote:
> Currently replacing the SSL certificates for PostgreSQL requires a full server
> restart. However in the infrastructure for www.python.org (and in the future,
> pypi.python.org as well) we use short lived certificates (1 day) that
> automatically get rotated when 75% of their lifetime is used up. This means
> that we end up needing to do a full restart of PostgreSQL once a day or so
> which is a disruptive action that causes the site to generate errors while
> PostgreSQL shuts down and starts back up.
>
> It would be great if PostgreSQL could load a new SSL certificate with a
> graceful reload. This would solve our use case perfectly.
>
> In the interim I'm attempting to work around this problem by sticking stunnel
> inbetween PostgreSQL and the clients and use that to terminate TLS since it
> *does* support gracefully reloading certificates.
This has been discussed before and seemed reasonable:
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ Everyone has their own god. +
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Paquier | 2015-04-08 23:51:08 | Re: New error code to track unsupported contexts |
Previous Message | David G. Johnston | 2015-04-08 20:50:32 | Re: "rejected" vs "returned with feedback" in new CF app |