Re: [PATCH] Reload SSL certificates on SIGHUP - Mailing list pgsql-hackers

From Andreas Karlsson
Subject Re: [PATCH] Reload SSL certificates on SIGHUP
Date
Msg-id 8b967b1e-4bdf-5fd7-9ccb-ce4cfa1d2b3a@proxel.se
Whole thread Raw
In response to Re: [PATCH] Reload SSL certificates on SIGHUP  (Michael Paquier <michael.paquier@gmail.com>)
Responses Re: [PATCH] Reload SSL certificates on SIGHUP
Re: [PATCH] Reload SSL certificates on SIGHUP
List pgsql-hackers
On 11/09/2016 06:54 AM, Michael Paquier wrote:
> It seems to me that this patch is missing something... To begin with,
> src/test/ssl/ServerSetup.pm should be patched so as the new SSL
> configuration is reloaded after pg_ctl reload, and not after an
> instance restart. That's straight-forward:
> --- a/src/test/ssl/ServerSetup.pm
> +++ b/src/test/ssl/ServerSetup.pm
> @@ -96,7 +96,7 @@ sub configure_test_server_for_ssl
>     close HBA;
>  }
>
> -# Change the configuration to use given server cert file, and restart
> +# Change the configuration to use given server cert file, and reload
>  # the server so that the configuration takes effect.
>  sub switch_server_cert
>  {
> @@ -115,6 +115,6 @@ sub switch_server_cert
>     print SSLCONF "ssl_crl_file='root+client.crl'\n";
>     close SSLCONF;
>
> -   # Stop and restart server to reload the new config.
> -   $node->restart;
> +   # Reload the new configuration set.
> +   $node->reload;
>  }
>
> Once I did that, half of the tests are failing. And I would have
> expected all of them to work properly.

Those tests fail due to that listen_addresses cannot be changed on 
reload so none of the test cases can even connect to the database. When 
I hacked ServerSetup.pm to set the correct listen_address before 
starting all tests pass.

It is a bit annoying that if pg_hba.conf contains hostssl then postgres 
will refuse to start. Maybe this is something we should also fix in this 
patch since now when we can enable SSL after starting it becomes more 
useful to not bail on hostssl. What do you think?

I will look into writing a cleaner patch for ServerSetup.pm some time 
later this week.

Andreas



pgsql-hackers by date:

Previous
From: Fabien COELHO
Date:
Subject: Re: pgbench - allow backslash continuations in \set expressions
Next
From: Rafia Sabih
Date:
Subject: Re: pgbench - allow backslash continuations in \set expressions