Ian Pilcher wrote:
> On 03/20/2017 11:02 AM, Rob Crittenden wrote:
>> I think his concern may be around warnings that the NSS BDB databases
>> should only be updated when quiet. In the case of mod_nss it explicitly
>> opens the database read-only so I think you'd be safe updating the
>> certificate.
> 
> You are correct about my concern.  I should have noticed that mod_nss
> is opening the database read-only, based on the file permissions if
> nothing else.
> 
> Based on this, I should be able to do something with symlinks to make a
> copy of the database, do my updates, rename the symlink to make the
> updated database "live", and SIGHUP (or restart if necessary) Apache.

Um, this _might_ work. Each httpd worker will have an fd open to the NSS
database files so you'd want to do this rather carefully.

In order for NSS to see a newly added certificate it will need to reopen
the database. I'm fairly certain a SIGHUP will cause all the children to
be respawned so except for those actually serving a request at the time
the new certs should be available.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to