Martin Basti wrote:
> 
> 
> On 20.03.2017 16:12, Ian Pilcher wrote:
>> On 03/20/2017 04:00 AM, David Kupka wrote:
>>> Generally I would not recommend touching this on production system.
>>> Why do you want to change the database format?
>>
>> My FreeIPA server also acts as a reverse proxy/TLS endpoint for my
>> home sprinkler system (https://opensprinkler.com/), allowing me to
>> securely connect to the sprinkler controller from my cell phone when
>> I'm out in the yard (out of WiFi range).
>>
>> Since free 1-year TLS certificates seem to be a thing of the past, I'm
>> working on automating the retrieval of 90-day certificates from Let's
>> Encrypt.
>>
>> My current update script has to stop Apache before updating the
>> certificate in the NSS database.  It's hardly the end of the world, but
>> it would have been nice to be able to load the new certificate into the
>> database and just send a SIGHUP to the daemon.
>>
> 
> Might this help for Lets encrypt ?
> https://github.com/freeipa/freeipa-letsencrypt

I think his concern may be around warnings that the NSS BDB databases
should only be updated when quiet. In the case of mod_nss it explicitly
opens the database read-only so I think you'd be safe updating the
certificate.

A SIGHUP may indeed be sufficient to load the new cert, just haven't had
a chance to test it this morning.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to