Details
-
New Feature
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
2.4.19, 2.5.18, 6.1.4, 6.2.1
-
None
Description
Since MariaDB 10.4.1 the server supports run time reloading of TLS certificates with FLUSH SSL, and since 10.6.0 also with mysqladmin flush-ssl, which comes in handy when a certificate needs to renewed before reaching its expire date without server downtime, and especially with short lived certificates like e.g. those issued by LetsEncrypt.
Maxscale currently seems to be missing this capability, server and listener certificates may be reloaded explicitly one by one using maxctrl, but for the admin REST API itself there does not seem to be any such mechanism at all, so this can only be changed with a maxscale restart, and so with a little bit of downtime.
So the main feature request would be to have an equivalent to the servers "FLUSH SSL" that would reload all certificate files currently in use by maxscale.
In addition to this certificate reloads should maybe also be part of SIGHUP signal handling, as in case of an already expired REST API certificate that may be the only way to still trigger a certificate reload without restart/downtime while REST API access may no longer be possible with an expired admin certificate.