On Wed, Apr 8, 2015 at 11:48:11AM -0400, Donald Stufft wrote:
> Currently replacing the SSL certificates for PostgreSQL requires a full server
> restart. However in the infrastructure for www.python.org (and in the future,
> pypi.python.org as well) we use short lived certificates (1 day) that
> automatically get rotated when 75% of their lifetime is used up. This means
> that we end up needing to do a full restart of PostgreSQL once a day or so
> which is a disruptive action that causes the site to generate errors while
> PostgreSQL shuts down and starts back up.
>
> It would be great if PostgreSQL could load a new SSL certificate with a
> graceful reload. This would solve our use case perfectly.
>
> In the interim I'm attempting to work around this problem by sticking stunnel
> inbetween PostgreSQL and the clients and use that to terminate TLS since it
> *does* support gracefully reloading certificates.
This has been discussed before and seemed reasonable:
http://www.postgresql.org/message-id/flat/caas3tyljcv-m0cqfmrrxujwa9_fksckuakt9_l41wnujzyw...@mail.gmail.com#caas3tyljcv-m0cqfmrrxujwa9_fksckuakt9_l41wnujzyw...@mail.gmail.com
--
Bruce Momjian <br...@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ Everyone has their own god. +
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
