[MDEV-16266] Ability to Refresh SSL Cert / CRL Without Server Restart Created: 2018-05-23  Updated: 2023-01-16  Resolved: 2018-12-12

Status: Closed
Project: MariaDB Server
Component/s: Server, SSL
Fix Version/s: 10.4.1

Type: Task Priority: Major
Reporter: Stephen Hames Assignee: Vladislav Vaintroub
Resolution: Fixed Votes: 1
Labels: ssl

Issue Links:
Relates
relates to MDEV-19168 mysqladmin implement --flush-ssl Closed
relates to MDEV-19341 Make reloadable TLS system variables ... Closed
relates to MXS-3128 Cannot refresh SSL Certificates witho... Closed
relates to MXS-3197 Ability to refresh SSL certificates w... Closed
relates to CONJ-670 MariaDB java connector ability to Ref... Closed

 Description   

Background

When we need to update server SSL certs for renewal, we have to restart the mariadb server. This can be problematic for production servers where we do not frequently restart the service. This is particularly acute when using short-lived certs such as those provided by LetsEncrypt.

Cert Renewals will be less disruptive it is is possible to issue a command to mariadb server to make the server reload the server certificate and/or CRL, as needed.

A similar case is open for MySQL (refer: https://bugs.mysql.com/bug.php?id=75404), but does not appear to have gained traction.

Acceptance Criteria

  • Ability added to flush server SSL certificates, without requiring a server restart.
  • Ability added to flush server CRL, without requiring server restart.

Raised this as a task, as I can't raise it as a feature request...
Thanks.

 Comments   
Comment by Alexander Barkov [ 2018-11-17 ]

Hi ralf.gebhardt, I can try. When is the deadline?

Comment by Stephen Hames [ 2019-01-18 ]

Thanks for adding this.

It is much appreciated!

Comment by azurit [ 2019-03-22 ]

Could this be backported to older versoins? Ideally all up from 10.1 or at least 10.2. Thanks.

Generated at Thu Feb 08 08:27:37 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.