Hi guys.
I wonder if it is possible to have PostgreSQL share
certificates with other bits & bobs.
I see PGSQL is very unhappy and won't accept certs with
permissions like:
-> $ getfacl
/etc/pki/easy-rsa/pki/private/c8kubernode1.private.wel.key
getfacl: Removing leading '/' from absolute path names
# file:
etc/pki/easy-rsa/pki/private/c8kubernode1.private.wel.key
# owner: root
# group: root
user::rw-
user:postgres:r-x
user:redis:r-x
group::---
mask::r-x
other::---
such ACLs I think obviously, result in:
-> $ ll /etc/pki/easy-rsa/pki/private/
total 12
-rw-r-x---+ 1 root root 1704 Mar 1 13:35
c8kubernode1.private.wel.key
and then PGSQL fails to start:
...
Starting PostgreSQL database server...
2021-03-02 06:04:15.168 EST [1173631] FATAL: private key
file
"/etc/pki/easy-rsa/pki/private/c8kubernode1.private.wel.key"
has group or world access
If that is by design, is not then bit over the top?
postgresql-13.2
many thanks, L.
