Will a graceful reload of Apache configuration require the SSL Cert password?
Solution 1
No. SSL certificates are only reloaded on a full restart, not a graceful one.
This means you won't need to re-enter the password on a reload/graceful, and also means that changes to the certificates/new certificates/etc require a full restart to take effect.
Solution 2
Because there is a bit of confusion about full restart and graceful restart I must say that
apachectl restart
Fully restarts the server but that is not gracefully done. This means that current connections are aborted.
What you want to achieve can be done gracefully with:
apachectl graceful
Both methods reload the certificates.
Which does a full apache restart, but the active connections are not aborted. It does not accept new connections until the current ones finish processing and restarts after that.
In conclusion, both restart
and graceful
do a full apache restart, but graceful does not abort connections, waits for them to be closed, then it restarts.
Related videos on Youtube
Colin K
Updated on September 18, 2022Comments
-
Colin K over 1 year
I have an apache server running that required a minor configuration update. I want to force Apache to reload the config (e.g. via /etc/init.d/httpd reload or apachectl graceful), but I do not posses our SSL cert passwords. The admin who has the passwords is not available right now.
If I gracefully reload the apache config, will the SSL certificates need the password again? Or does that only happen during a full restart of the server?
-
rustyx over 7 yearsI don't know if anything has changed, but at least on httpd 2.4.20,
apachectl graceful
as well as SIGHUP do cause a reload of SSL certificates. -
Dennis about 7 yearsA graceful restart is not the same as a reload. The former just waits for all child processes to exit gracefully before restarting.
-
Nicolás about 6 years@Dennis They are the same; "/etc/init.d/apache2 reload" runs "apachectl -k graceful".
-
Lucas Werkmeister almost 6 yearsAnd to answer the question, it seems that
apachectl graceful
does reload the certificates – at least it did in my case (though my certificates are not password-protected). -
Palec about 2 yearsIt does not accept new connections until the current ones finish processing and restarts after that. This is wrong, according to the docs. Only the old workers do not accept new connections, but the new workers replace the old ones one by one, as the old ones die. httpd.apache.org/docs/2.2/stopping.html