Re: Rotate SSL certificates on reload (SIGHUP) without restart

Hi Bob,

> Hi Tatsuo,
>
> I've fixed the test failure. The issue was that the original test used the
> static self-signed server.crt as the CA bundle. When ssl_ca_cert is set,
> pgpool verifies the backend certificate against it, and the self-signed
> cert failed that check. The fix generates a dedicated server CA in the test
> and issues a backend cert signed by it, so pgpool can always verify the
> backend while ca1/ca2 are independently swapped to test client-cert trust
> rotation.

That makes sense.

> The test now passes:
>
>
>
>
>
> *CA cert swap: CA1-signed client cert accepted before reload – ok.CA cert
> swap: CA1-signed client cert rejected after reload to CA2 – ok.testing
> 042.ssl_reload...ok.out of 1 ok:1 failed:0 timeout:0*
>
> pgpool.log showing client cert accepted before reload:
>
>
>
>
> *2026-04-17 09:23:31.449: child pid 81378: DEBUG: got the SSL
> certificate2026-04-17 09:23:31.449: child pid 81378: DETAIL: Protocol
> Major: 3 Minor: 0 database: test user: ssltest2026-04-17 09:23:31.450:
> child pid 81378: DETAIL: client->server SSL response: S2026-04-17
> 09:23:31.455: child pid 81378: DETAIL: auth kind:0*
>
> SSL certificate reload completed:
>
> *2026-04-17 09:23:31.471: main pid 81347: LOG: reload SSL certificates.*
>
> pgpool.log showing client cert rejected after reload:
>
>
>
> *2026-04-17 09:23:32.485: psql pid 81385: DETAIL: SSLRequest from
> client2026-04-17 09:23:32.493: psql pid 81385: LOG: pool_ssl:
> "SSL_accept": "certificate verify failed"2026-04-17 09:23:32.493: psql pid
> 81385: ERROR: failed while reading startup packet*
>
> No changes to the core patch.
> The updated v4 is attached.

Now the test succeeded here. Many thanks. I will push the patch
tomorrow.

Regards,
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp