Martin Basti wrote:
> On 20.03.2017 16:12, Ian Pilcher wrote:
>> On 03/20/2017 04:00 AM, David Kupka wrote:
>>> Generally I would not recommend touching this on production system.
>>> Why do you want to change the database format?
>> My FreeIPA server also acts as a reverse proxy/TLS endpoint for my
>> home sprinkler system (, allowing me to
>> securely connect to the sprinkler controller from my cell phone when
>> I'm out in the yard (out of WiFi range).
>> Since free 1-year TLS certificates seem to be a thing of the past, I'm
>> working on automating the retrieval of 90-day certificates from Let's
>> Encrypt.
>> My current update script has to stop Apache before updating the
>> certificate in the NSS database.  It's hardly the end of the world, but
>> it would have been nice to be able to load the new certificate into the
>> database and just send a SIGHUP to the daemon.
> Might this help for Lets encrypt ?

I think his concern may be around warnings that the NSS BDB databases
should only be updated when quiet. In the case of mod_nss it explicitly
opens the database read-only so I think you'd be safe updating the

A SIGHUP may indeed be sufficient to load the new cert, just haven't had
a chance to test it this morning.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to