Re: Gracefully Reload SSL Certificates
| От | Bruce Momjian |
|---|---|
| Тема | Re: Gracefully Reload SSL Certificates |
| Дата | |
| Msg-id | 20150408223558.GD22805@momjian.us обсуждение исходный текст |
| Ответ на | Gracefully Reload SSL Certificates (Donald Stufft <donald@stufft.io>) |
| Список | pgsql-hackers |
On Wed, Apr 8, 2015 at 11:48:11AM -0400, Donald Stufft wrote: > Currently replacing the SSL certificates for PostgreSQL requires a full server > restart. However in the infrastructure for www.python.org (and in the future, > pypi.python.org as well) we use short lived certificates (1 day) that > automatically get rotated when 75% of their lifetime is used up. This means > that we end up needing to do a full restart of PostgreSQL once a day or so > which is a disruptive action that causes the site to generate errors while > PostgreSQL shuts down and starts back up. > > It would be great if PostgreSQL could load a new SSL certificate with a > graceful reload. This would solve our use case perfectly. > > In the interim I'm attempting to work around this problem by sticking stunnel > inbetween PostgreSQL and the clients and use that to terminate TLS since it > *does* support gracefully reloading certificates. This has been discussed before and seemed reasonable: http://www.postgresql.org/message-id/flat/CAAS3tyLJcv-m0CqfMrrxUjwa9_FKscKuAKT9_L41wNuJZywM2Q@mail.gmail.com#CAAS3tyLJcv-m0CqfMrrxUjwa9_FKscKuAKT9_L41wNuJZywM2Q@mail.gmail.com -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + Everyone has their own god. +
В списке pgsql-hackers по дате отправления: