Re: [PATCH] Reload SSL certificates on SIGHUP

On 11/09/2016 06:54 AM, Michael Paquier wrote:
> It seems to me that this patch is missing something... To begin with,
> src/test/ssl/ServerSetup.pm should be patched so as the new SSL
> configuration is reloaded after pg_ctl reload, and not after an
> instance restart. That's straight-forward:
> --- a/src/test/ssl/ServerSetup.pm
> +++ b/src/test/ssl/ServerSetup.pm
> @@ -96,7 +96,7 @@ sub configure_test_server_for_ssl
> close HBA;
> }
>
> -# Change the configuration to use given server cert file, and restart
> +# Change the configuration to use given server cert file, and reload
> # the server so that the configuration takes effect.
> sub switch_server_cert
> {
> @@ -115,6 +115,6 @@ sub switch_server_cert
> print SSLCONF "ssl_crl_file='root+client.crl'\n";
> close SSLCONF;
>
> - # Stop and restart server to reload the new config.
> - $node->restart;
> + # Reload the new configuration set.
> + $node->reload;
> }
>
> Once I did that, half of the tests are failing. And I would have
> expected all of them to work properly.

Those tests fail due to that listen_addresses cannot be changed on
reload so none of the test cases can even connect to the database. When
I hacked ServerSetup.pm to set the correct listen_address before
starting all tests pass.

It is a bit annoying that if pg_hba.conf contains hostssl then postgres
will refuse to start. Maybe this is something we should also fix in this
patch since now when we can enable SSL after starting it becomes more
useful to not bail on hostssl. What do you think?

I will look into writing a cleaner patch for ServerSetup.pm some time
later this week.

Andreas