Martin Basti wrote: > > > On 20.03.2017 16:12, Ian Pilcher wrote: >> On 03/20/2017 04:00 AM, David Kupka wrote: >>> Generally I would not recommend touching this on production system. >>> Why do you want to change the database format? >> >> My FreeIPA server also acts as a reverse proxy/TLS endpoint for my >> home sprinkler system (https://opensprinkler.com/), allowing me to >> securely connect to the sprinkler controller from my cell phone when >> I'm out in the yard (out of WiFi range). >> >> Since free 1-year TLS certificates seem to be a thing of the past, I'm >> working on automating the retrieval of 90-day certificates from Let's >> Encrypt. >> >> My current update script has to stop Apache before updating the >> certificate in the NSS database. It's hardly the end of the world, but >> it would have been nice to be able to load the new certificate into the >> database and just send a SIGHUP to the daemon. >> > > Might this help for Lets encrypt ? > https://github.com/freeipa/freeipa-letsencrypt
I think his concern may be around warnings that the NSS BDB databases should only be updated when quiet. In the case of mod_nss it explicitly opens the database read-only so I think you'd be safe updating the certificate. A SIGHUP may indeed be sufficient to load the new cert, just haven't had a chance to test it this morning. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
