Search Postgresql Archives

Re: "Failed to connect to Postgres database"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thank you very much Adrian.
Two things:

1)
 Why if I just specify through port the cluster and the host connection I connect correctly with SSL,
 but if I specify also the database and the user it connects it doesn't usel SSL connection, or at least it doesn't say it uses SSL? :

(base) postgres@pc:~$ psql -p5433 -h localhost
Password for user postgres:
psql (11.5 (Ubuntu 11.5-1.pgdg18.04+1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

postgres=# \conninfo
You are connected to database "postgres" as user "postgres" on host "localhost" at port "5433".
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)


(base) postgres@pc:~$ psql -p5433 -h localhost -d fabmnet_ca -U postgres
Password for user postgres:
psql (11.5 (Ubuntu 11.5-1.pgdg18.04+1))
Type "help" for help.

fabmnet_ca=# \conninfo
You are connected to database "fabmnet_ca" as user "postgres" on host "localhost" at port "5433".
fabmnet_ca=#

2)
In fabric-ca-server-config.yaml 

  a) if I set:

    db:
      type: postgres
      datasource: host=localhost port=5433 user=postgres password=1234 dbname=fabmnet_ca sslmode=allow
      tls:
          enabled: false
          certfiles:
          client:
            certfile:
            keyfile:

    where sslmode=allow means "first try a non-SSL connection; if that fails, try an SSL connection"

    (base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server init -b admin:adminpw
    2019/09/27 19:37:46 [INFO] Configuration file location: /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
    2019/09/27 19:37:46 [INFO] Server Version: 1.4.4
    2019/09/27 19:37:46 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
    2019/09/27 19:37:46 [INFO] The CA key and certificate already exist
    2019/09/27 19:37:46 [INFO] The key is stored by BCCSP provider 'SW'
    2019/09/27 19:37:46 [INFO] The certificate is at: /home/marco/fabric/fabric-ca/ca-cert.pem
    2019/09/27 19:37:46 [WARNING] Failed to connect to database 'fabmnet_ca'
    2019/09/27 19:37:46 [WARNING] Failed to connect to database 'postgres'
    2019/09/27 19:37:46 [WARNING] Failed to connect to database 'template1'
    2019/09/27 19:37:46 [ERROR] Error occurred initializing database: Failed to connect to Postgres database. Postgres requires connecting to a specific database, the following databases
    were tried: [fabmnet_ca postgres template1]. Please create one of these database before continuing
    2019/09/27 19:37:46 [INFO] Home directory for default CA: /home/marco/fabric/fabric-ca
    2019/09/27 19:37:46 [INFO] Initialization was successful

    /var/log/postgresql/postgresql-11-fabmnet.log  :
        2019-09-27 19:43:14.194 CEST [3213] postgres@fabmnet_ca FATAL:  client certificates can only be checked if a root certificate store is available

  b) if I set:
    db:
      type: postgres
      datasource: host=localhost port=5433 user=postgres password=1234 dbname=fabmnet_ca sslmode=disable
      tls:
        enabled: false
        certfiles:
        client:
          certfile:
          keyfile:

   
     (base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server init -b admin:adminpw
     2019/09/27 19:55:03 [INFO] Configuration file location: /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
    2019/09/27 19:55:03 [INFO] Server Version: 1.4.4
    2019/09/27 19:55:03 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
    2019/09/27 19:55:03 [INFO] The CA key and certificate already exist
    2019/09/27 19:55:03 [INFO] The key is stored by BCCSP provider 'SW'
    2019/09/27 19:55:03 [INFO] The certificate is at: /home/marco/fabric/fabric-ca/ca-cert.pem
    2019/09/27 19:55:03 [INFO] Initialized postgres database at host=localhost port=5433 user=**** password=**** dbname=fabmnet_ca sslmode=disable
    2019/09/27 19:55:03 [INFO] The Idemix issuer public and secret key files already exist
    2019/09/27 19:55:03 [INFO]    secret key file location: /home/marco/fabric/fabric-ca/msp/keystore/IssuerSecretKey
    2019/09/27 19:55:03 [INFO]    public key file location: /home/marco/fabric/fabric-ca/IssuerPublicKey
    2019/09/27 19:55:03 [INFO] The Idemix issuer revocation public and secret key files already exist
    2019/09/27 19:55:03 [INFO]    private key file location: /home/marco/fabric/fabric-ca/msp/keystore/IssuerRevocationPrivateKey
    2019/09/27 19:55:03 [INFO]    public key file location: /home/marco/fabric/fabric-ca/IssuerRevocationPublicKey
    2019/09/27 19:55:03 [INFO] Home directory for default CA: /home/marco/fabric/fabric-ca
    2019/09/27 19:55:03 [INFO] Initialization was successful

    /var/log/postgresql/postgresql-11-fabmnet.log :
        2019-09-27 19:55:03.691 CEST [3313] postgres@fabmnet_ca ERROR:  database "fabmnet_ca" already exists
        2019-09-27 19:55:03.691 CEST [3313] postgres@fabmnet_ca STATEMENT:  CREATE DATABASE fabmnet_ca

    (base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server start -b admin:adminpw
    2019/09/27 19:57:58 [INFO] Configuration file location: /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
    2019/09/27 19:57:58 [INFO] Starting server in home directory: /home/marco/fabric/fabric-ca
    2019/09/27 19:57:58 [INFO] Server Version: 1.4.4
    2019/09/27 19:57:58 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
    2019/09/27 19:57:58 [INFO] The CA key and certificate already exist
    2019/09/27 19:57:58 [INFO] The key is stored by BCCSP provider 'SW'
    2019/09/27 19:57:58 [INFO] The certificate is at: /home/marco/fabric/fabric-ca/ca-cert.pem
    2019/09/27 19:57:58 [INFO] Initialized postgres database at host=localhost port=5433 user=**** password=**** dbname=fabmnet_ca sslmode=disable
    2019/09/27 19:57:58 [INFO] The Idemix issuer public and secret key files already exist
    2019/09/27 19:57:58 [INFO]    secret key file location: /home/marco/fabric/fabric-ca/msp/keystore/IssuerSecretKey
    2019/09/27 19:57:58 [INFO]    public key file location: /home/marco/fabric/fabric-ca/IssuerPublicKey
    2019/09/27 19:57:58 [INFO] The Idemix issuer revocation public and secret key files already exist
    2019/09/27 19:57:58 [INFO]    private key file location: /home/marco/fabric/fabric-ca/msp/keystore/IssuerRevocationPrivateKey
    2019/09/27 19:57:58 [INFO]    public key file location: /home/marco/fabric/fabric-ca/IssuerRevocationPublicKey
    2019/09/27 19:57:58 [INFO] Home directory for default CA: /home/marco/fabric/fabric-ca
    2019/09/27 19:57:58 [INFO] Operation Server Listening on 127.0.0.1:9443
    2019/09/27 19:57:58 [INFO] Listening on http://0.0.0.0:7054

Does it mean that in order to use postgresql-11 with fabric-ca I have to use only socket connection?
And if this is the case, why?

Marco

Il giorno ven 27 set 2019 alle ore 18:37 Adrian Klaver <adrian.klaver@xxxxxxxxxxx> ha scritto:
On 9/27/19 8:20 AM, Marco Ippolito wrote:
> Correction of my previous email :
>
> This is the correct ssl connection, not the one before via socket:

A tip, when troubleshooting be as explicit as possible in your command
line usage. So for below explicitly state the -d postgres -U postgres.
This will save you issues with default values and environment values
that you don't know about changing the command. This is not the issue
here, just a heads up for future use.

More below.

>
> (base) postgres@pc:~$ psql -p5433 -h localhost
> Password for user postgres:
> psql (11.5 (Ubuntu 11.5-1.pgdg18.04+1))
> SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits:
> 256, compression: off)

> fabmnet_ca=#
>
> Anyway, I'm still struggling in understanding how to configure the ssh
> connection of fabric-ca-server to fabmnet_ca database:
>
> This is what I set in fabric-ca-server-config.yaml :
>
> #db:
> #  type: sqlite3
> #  datasource: fabric-ca-server.db
> #  tls:
> #      enabled: false
> #      certfiles:
> #      client:
> #        certfile:
> #        keyfile:
>
>
> db:
>    type: postgres
>    datasource: host=localhost port=5433 user=postgres password=pwd
> dbname=fabmnet_ca sslmode=verify-full

For now I would drop the sslmode or set it to require.
If I am following correctly, if you are cert authentication with fabric-ca:

https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#postgresql

Then you need to fill in the certfile(s) sections. I know you have
tls.enabled: false. I think that the server is taking the datasource as
priority and trying a verify-full without the necessary cert
information. That is why I suggested backing off on the SSL requirements
to see if you can make a connection. For what the sslmode options means
go here:

https://www.postgresql.org/docs/11/libpq-connect.html#LIBPQ-PARAMKEYWORDS

and search in page for sslmode.

Plan B would be to fill in the certfile(s) information.

As to your question below as to why the psql connection works. You are
not specifying an sslmode to the connection so it defaults to a sslmode of:

prefer (default)

     first try an SSL connection; if that fails, try a non-SSL connection

There is no cert authentication going on in that case, so you connect.
The connection is done using SSL, it just does not verify the cert.



>    tls:
>        enabled: false
>        certfiles:
>        client:
>          certfile:
>          keyfile:
>
> Initializing the fabric-ca-server gives "Failed to connect to Postgres
> database" and in postgresql-11-fabmnet.log : sslv3 alert bad certificate
>
> (base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server init -b admin:adminpw
> 2019/09/27 17:07:27 [INFO] Configuration file location:
> /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
> 2019/09/27 17:07:27 [INFO] Server Version: 1.4.4
> 2019/09/27 17:07:27 [INFO] Server Levels: &{Identity:2 Affiliation:1
> Certificate:1 Credential:1 RAInfo:1 Nonce:1}
> 2019/09/27 17:07:27 [INFO] The CA key and certificate already exist
> 2019/09/27 17:07:27 [INFO] The key is stored by BCCSP provider 'SW'
> 2019/09/27 17:07:27 [INFO] The certificate is at:
> /home/marco/fabric/fabric-ca/ca-cert.pem
> 2019/09/27 17:07:27 [WARNING] Failed to connect to database 'fabmnet_ca'
> 2019/09/27 17:07:27 [WARNING] Failed to connect to database 'postgres'
> 2019/09/27 17:07:27 [WARNING] Failed to connect to database 'template1'
> 2019/09/27 17:07:27 [ERROR] Error occurred initializing database: Failed
> to connect to Postgres database. Postgres requires connecting to a
> specific database, the following databases were tried: [fabmnet_ca
> postgres template1]. Please create one of these database before continuing
> 2019/09/27 17:07:27 [INFO] Home directory for default CA:
> /home/marco/fabric/fabric-ca
> 2019/09/27 17:07:27 [INFO] Initialization was successful
>
> /var/log/postgresql/postgresql-11-fabmnet.log : 2019-09-27 17:07:27.159
> CEST [6626] [unknown]@[unknown] LOG:  could not accept SSL connection:
> sslv3 alert bad certificate
>
> Why it says "sslv3 alert bad certificate" if it's exactly the same
> certificate used when connecting to the same database with ssl in
> postgres environment as shown above?
>
> Marco

--
Adrian Klaver
adrian.klaver@xxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]

  Powered by Linux