Thread: Gracefully Reload SSL Certificates

Gracefully Reload SSL Certificates

From

Donald Stufft

Date:

08 April 2015, 21:00:00

Currently replacing the SSL certificates for PostgreSQL requires a full server
restart. However in the infrastructure for www.python.org (and in the future,
pypi.python.org as well) we use short lived certificates (1 day) that
automatically get rotated when 75% of their lifetime is used up. This means
that we end up needing to do a full restart of PostgreSQL once a day or so
which is a disruptive action that causes the site to generate errors while
PostgreSQL shuts down and starts back up.

It would be great if PostgreSQL could load a new SSL certificate with a
graceful reload. This would solve our use case perfectly.

In the interim I'm attempting to work around this problem by sticking stunnel
inbetween PostgreSQL and the clients and use that to terminate TLS since it
*does* support gracefully reloading certificates.

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

Re: Gracefully Reload SSL Certificates

From

Bruce Momjian

Date:

08 April 2015, 22:36:10

On Wed, Apr  8, 2015 at 11:48:11AM -0400, Donald Stufft wrote:
> Currently replacing the SSL certificates for PostgreSQL requires a full server
> restart. However in the infrastructure for www.python.org (and in the future,
> pypi.python.org as well) we use short lived certificates (1 day) that
> automatically get rotated when 75% of their lifetime is used up. This means
> that we end up needing to do a full restart of PostgreSQL once a day or so
> which is a disruptive action that causes the site to generate errors while
> PostgreSQL shuts down and starts back up.
> 
> It would be great if PostgreSQL could load a new SSL certificate with a
> graceful reload. This would solve our use case perfectly.
> 
> In the interim I'm attempting to work around this problem by sticking stunnel
> inbetween PostgreSQL and the clients and use that to terminate TLS since it
> *does* support gracefully reloading certificates.

This has been discussed before and seemed reasonable:

http://www.postgresql.org/message-id/flat/CAAS3tyLJcv-m0CqfMrrxUjwa9_FKscKuAKT9_L41wNuJZywM2Q@mail.gmail.com#CAAS3tyLJcv-m0CqfMrrxUjwa9_FKscKuAKT9_L41wNuJZywM2Q@mail.gmail.com

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + Everyone has their own god. +