Ian Pilcher wrote: > On 03/20/2017 11:02 AM, Rob Crittenden wrote: >> I think his concern may be around warnings that the NSS BDB databases >> should only be updated when quiet. In the case of mod_nss it explicitly >> opens the database read-only so I think you'd be safe updating the >> certificate. > > You are correct about my concern. I should have noticed that mod_nss > is opening the database read-only, based on the file permissions if > nothing else. > > Based on this, I should be able to do something with symlinks to make a > copy of the database, do my updates, rename the symlink to make the > updated database "live", and SIGHUP (or restart if necessary) Apache.
Um, this _might_ work. Each httpd worker will have an fd open to the NSS database files so you'd want to do this rather carefully. In order for NSS to see a newly added certificate it will need to reopen the database. I'm fairly certain a SIGHUP will cause all the children to be respawned so except for those actually serving a request at the time the new certs should be available. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project