[Freeipa-users] Use SQLite format NSS database?
Rob Crittenden
rcritten at redhat.com
Mon Mar 20 16:02:55 UTC 2017
Martin Basti wrote:
>
>
> On 20.03.2017 16:12, Ian Pilcher wrote:
>> On 03/20/2017 04:00 AM, David Kupka wrote:
>>> Generally I would not recommend touching this on production system.
>>> Why do you want to change the database format?
>>
>> My FreeIPA server also acts as a reverse proxy/TLS endpoint for my
>> home sprinkler system (https://opensprinkler.com/), allowing me to
>> securely connect to the sprinkler controller from my cell phone when
>> I'm out in the yard (out of WiFi range).
>>
>> Since free 1-year TLS certificates seem to be a thing of the past, I'm
>> working on automating the retrieval of 90-day certificates from Let's
>> Encrypt.
>>
>> My current update script has to stop Apache before updating the
>> certificate in the NSS database. It's hardly the end of the world, but
>> it would have been nice to be able to load the new certificate into the
>> database and just send a SIGHUP to the daemon.
>>
>
> Might this help for Lets encrypt ?
> https://github.com/freeipa/freeipa-letsencrypt
I think his concern may be around warnings that the NSS BDB databases
should only be updated when quiet. In the case of mod_nss it explicitly
opens the database read-only so I think you'd be safe updating the
certificate.
A SIGHUP may indeed be sufficient to load the new cert, just haven't had
a chance to test it this morning.
rob
More information about the Freeipa-users
mailing list