Quick Links

Re: Rotate SSL certificates on reload (SIGHUP) without restart

From:	Tatsuo Ishii <ishii(at)postgresql(dot)org>
To:	bob(dot)ross(dot)19821(at)gmail(dot)com
Cc:	pgpool-hackers(at)lists(dot)postgresql(dot)org
Subject:	Re: Rotate SSL certificates on reload (SIGHUP) without restart
Date:	2026-04-18 10:08:14
Message-ID:	20260418.190814.809044567365990699.ishii@postgresql.org
Views:	Whole Thread \| Raw Message \| Download mbox \| Resend email
Thread:
Lists:	pgpool-hackers

Hi Bob,

>> Hi Tatsuo,
>>
>> I've fixed the test failure. The issue was that the original test used the
>> static self-signed server.crt as the CA bundle. When ssl_ca_cert is set,
>> pgpool verifies the backend certificate against it, and the self-signed
>> cert failed that check. The fix generates a dedicated server CA in the test
>> and issues a backend cert signed by it, so pgpool can always verify the
>> backend while ca1/ca2 are independently swapped to test client-cert trust
>> rotation.
>
> That makes sense.
>
>> The test now passes:
>>
>>
>>
>>
>>
>> *CA cert swap: CA1-signed client cert accepted before reload – ok.CA cert
>> swap: CA1-signed client cert rejected after reload to CA2 – ok.testing
>> 042.ssl_reload...ok.out of 1 ok:1 failed:0 timeout:0*
>>
>> pgpool.log showing client cert accepted before reload:
>>
>>
>>
>>
>> *2026-04-17 09:23:31.449: child pid 81378: DEBUG: got the SSL
>> certificate2026-04-17 09:23:31.449: child pid 81378: DETAIL: Protocol
>> Major: 3 Minor: 0 database: test user: ssltest2026-04-17 09:23:31.450:
>> child pid 81378: DETAIL: client->server SSL response: S2026-04-17
>> 09:23:31.455: child pid 81378: DETAIL: auth kind:0*
>>
>> SSL certificate reload completed:
>>
>> *2026-04-17 09:23:31.471: main pid 81347: LOG: reload SSL certificates.*
>>
>> pgpool.log showing client cert rejected after reload:
>>
>>
>>
>> *2026-04-17 09:23:32.485: psql pid 81385: DETAIL: SSLRequest from
>> client2026-04-17 09:23:32.493: psql pid 81385: LOG: pool_ssl:
>> "SSL_accept": "certificate verify failed"2026-04-17 09:23:32.493: psql pid
>> 81385: ERROR: failed while reading startup packet*
>>
>> No changes to the core patch.
>> The updated v4 is attached.
>
> Now the test succeeded here. Many thanks. I will push the patch
> tomorrow.

I have pushed this to master branch along with documentation changes.
https://git.postgresql.org/gitweb/?p=pgpool2.git;a=commit;h=931a37e7f63fe514e989d427e1b0c2b7f4344c0d

Thank you!
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp

In response to

Re: Rotate SSL certificates on reload (SIGHUP) without restart at 2026-04-17 11:06:56 from Tatsuo Ishii

Browse pgpool-hackers by date

	From	Date	Subject
Next Message	Tatsuo Ishii	2026-04-19 07:24:44	Re: Proposal: Recent mutated table tracking in memory
Previous Message	Tatsuo Ishii	2026-04-17 11:06:56	Re: Rotate SSL certificates on reload (SIGHUP) without restart