Written by: ilmarkerm

Category: Blog entry

Published: April 7, 2026

Procedure to renew service TLS certificates usually (always?) is that you first renew the certificate+key files the service is using and then you also need to signal the running service to reload the configuration files (or restart). If you forget the last part, the service would still continue identifying itself with the old certificate – even past the certificate has expired. Very easy to forget the service reload/restart part.

Usually with Linux programs to make services reload their configuration, including TLS certificates, there is an option to send the program SIGHUP Unix signal. But sadly this does not work for MySQL. Unix signals only flush tables, flush cache and rotate log files https://dev.mysql.com/doc/refman/8.4/en/unix-signal-response.html

Also none of the mysqladmin commands like reload, refresh make a running mysqld service to reload the TLS certificate files.

The only way I have found for a running MySQL instance to reload the certificate files is this ALTER INSTANCE command

ALTER INSTANCE RELOAD TLS

Don’t forget to add it also to your SystemD service file, if your certificate renewal automation relies on SystemD reload command. Need to add something like this to the service file (don’t forget about authentication).

ExecReload=mysql -e "alter instance reload tls"

Quite an unusual behaviour from MySQL, so do not be caught out. When certificated expire clients cannot connect using TLS anymore and connections fail.

This does not apply if you choose to restart MySQL service, but this comes with the penalty of short downtime.