[Freeipa-users] Use SQLite format NSS database?
Rob Crittenden
rcritten at redhat.com
Tue Mar 21 19:26:39 UTC 2017
Ian Pilcher wrote:
> On 03/20/2017 11:02 AM, Rob Crittenden wrote:
>> I think his concern may be around warnings that the NSS BDB databases
>> should only be updated when quiet. In the case of mod_nss it explicitly
>> opens the database read-only so I think you'd be safe updating the
>> certificate.
>
> You are correct about my concern. I should have noticed that mod_nss
> is opening the database read-only, based on the file permissions if
> nothing else.
>
> Based on this, I should be able to do something with symlinks to make a
> copy of the database, do my updates, rename the symlink to make the
> updated database "live", and SIGHUP (or restart if necessary) Apache.
Um, this _might_ work. Each httpd worker will have an fd open to the NSS
database files so you'd want to do this rather carefully.
In order for NSS to see a newly added certificate it will need to reopen
the database. I'm fairly certain a SIGHUP will cause all the children to
be respawned so except for those actually serving a request at the time
the new certs should be available.
rob
More information about the Freeipa-users
mailing list