Search Postgresql Archives

Re: "Failed to connect to Postgres database"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Following the indications found here: https://joelonsql.com/2013/04/27/securing-postgresql-using-hostssl-cert-clientcert1/
I created and modified these files:
CA:

root@pc:/home/marco# ls -lah /etc/ssl/private/fabric_ca.key
-rw-r----- 1 root ssl-cert 1.8K Sep 30 14:50 /etc/ssl/private/fabric_ca.key

(base) marco@pc:~$ ls -lah /usr/local/share/ca-certificates/fabric_ca.crt
-rw-r--r-- 1 root root 1.3K Sep 30 15:43 /usr/local/share/ca-certificates/fabric_ca.crt

(base) marco@pc:~$ ls -lah /etc/ssl/certs/fabric_ca.pem
lrwxrwxrwx 1 root root 46 Sep 30 15:45 /etc/ssl/certs/fabric_ca.pem -> /usr/local/share/ca-certificates/fabric_ca.crt
(base) marco@pc:~$

PostgreSQL-Server:

(base) postgres@pc:~$ ls -lah /var/lib/postgresql/11/fabmnet/server.key
-r-------- 1 postgres postgres 1.7K Sep 30 16:05 /var/lib/postgresql/11/fabmnet/server.key

(base) postgres@pc:~$ ls -lah /var/lib/postgresql/11/fabmnet/server.crt
-rw-r--r-- 1 postgres postgres 1.2K Sep 30 16:34 /var/lib/postgresql/11/fabmnet/server.crt

(base) postgres@pc:~$ ls -lah /var/lib/postgresql/11/fabmnet/root.crt
-rw------- 1 postgres postgres 1.4K Sep 30 13:39 /var/lib/postgresql/11/fabmnet/root.crt

(base) marco@pc:~$ ls -ltr /usr/local/share/ca-certificates/fabric_ca.crt
-rw-r--r-- 1 root root 1302 Sep 30 15:43 /usr/local/share/ca-certificates/fabric_ca.crt

(base) marco@pc:~$ ls -ltr /usr/local/share/ca-certificates/fabric_ca_postgresql.crt
-rw------- 1 root root 1354 Sep 30 17:12 /usr/local/share/ca-certificates/fabric_ca_postgresql.crt

(base) marco@pc:~$ ls -ltr /etc/ssl/certs/fabric_ca.pem
lrwxrwxrwx 1 root root 46 Sep 30 15:45 /etc/ssl/certs/fabric_ca.pem -> /usr/local/share/ca-certificates/fabric_ca.crt

(base) marco@pc:~$ ls -ltr /etc/ssl/certs/fabric_ca_postgresql.pem
lrwxrwxrwx 1 root root 57 Sep 30 17:12 /etc/ssl/certs/fabric_ca_postgresql.pem -> /usr/local/share/ca-certificates/fabric_ca_postgresql.crt


I set /etc/postgresql/11/fabmnet/pg_hba.conf  in this way:


# Database administrative login by Unix domain socket
local   all             postgres                                peer

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     peer
# IPv4 local connections:
host    all             all             127.0.0.1/32            md5

# Allow connections from localhost only to fabmnet_ca for postgres user clientcert
hostssl fabmnet_ca      +ssl_fabric_ca_certusers        192.168.1.0/24  cert    clientcert=1

# IPv6 local connections:
host    all             all             ::1/128                 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
local   replication     all                                     peer
host    replication     all             127.0.0.1/32            md5
host    replication     all             ::1/128                 md5

PostgreSQL-client  :

(base) marco@pc:~$ ls -ltr ~/.postgresql/root.crt
-rw------- 1 postgres postgres 1354 Sep 30 17:22 /home/marco/.postgresql/root.crt

(base) marco@pc:~$ ls -ltr ~/.postgresql/postgresql.key
-r-------- 1 postgres postgres 887 Sep 30 17:23 /home/marco/.postgresql/postgresql.key

(base) marco@pc:~$ ls -ltr ~/.postgresql/postgresql.crt
-rw-r--r-- 1 postgres postgres 1001 Sep 30 17:25 /home/marco/.postgresql/postgresql.crt

If I put in fabric-ca-server-config.yaml:

db:
  type: postgres
  datasource: host=localhost port=5433 user=postgres password=1234 dbname=fabmnet_ca sslmode=require
  tls:
      enabled: true
      certfiles:
      client:
        certfile: /var/lib/postgresql/11/fabmnet/server.crt
        keyfile: /var/lib/postgresql/11/fabmnet/server.key



(base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server init -b admin:adminpw
2019/09/30 17:54:02 [INFO] Configuration file location: /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
2019/09/30 17:54:02 [INFO] Server Version: 1.4.4
2019/09/30 17:54:02 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/09/30 17:54:02 [INFO] The CA key and certificate already exist
2019/09/30 17:54:02 [INFO] The key is stored by BCCSP provider 'SW'
2019/09/30 17:54:02 [INFO] The certificate is at: /home/marco/fabric/fabric-ca/ca-cert.pem
2019/09/30 17:54:02 [ERROR] Error occurred initializing database: No trusted root certificates for TLS were provided
2019/09/30 17:54:02 [INFO] Home directory for default CA: /home/marco/fabric/fabric-ca
2019/09/30 17:54:02 [INFO] Initialization was successful

If I put in fabric-ca-server-config.yaml:

db:
  type: postgres
  datasource: host=localhost port=5433 user=postgres password=1234 dbname=fabmnet_ca sslmode=require
  tls:
      enabled: false
      certfiles:
      client:
        certfile:
        keyfile:

(base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server init -b admin:adminpw
2019/09/30 17:56:22 [INFO] Configuration file location: /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
2019/09/30 17:56:22 [INFO] Server Version: 1.4.4
2019/09/30 17:56:22 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/09/30 17:56:22 [INFO] The CA key and certificate already exist
2019/09/30 17:56:22 [INFO] The key is stored by BCCSP provider 'SW'
2019/09/30 17:56:22 [INFO] The certificate is at: /home/marco/fabric/fabric-ca/ca-cert.pem
2019/09/30 17:56:22 [WARNING] Failed to connect to database 'fabmnet_ca'
2019/09/30 17:56:22 [WARNING] Failed to connect to database 'postgres'
2019/09/30 17:56:22 [WARNING] Failed to connect to database 'template1'
2019/09/30 17:56:22 [ERROR] Error occurred initializing database: Failed to connect to Postgres database. Postgres requires connecting to a specific database, the following databases were tried: [fabmnet_ca postgres template1]. Please create one of these database before continuing
2019/09/30 17:56:22 [INFO] Home directory for default CA: /home/marco/fabric/fabric-ca
2019/09/30 17:56:22 [INFO] Initialization was successful

/var/log/postgresql/postgresql-11-fabmnet.log  :

2019-09-30 17:56:22.760 CEST [10651] [unknown]@[unknown] LOG:  incomplete startup packet
2019-09-30 17:56:22.760 CEST [10650] [unknown]@[unknown] LOG:  incomplete startup packet
2019-09-30 17:56:22.760 CEST [10649] [unknown]@[unknown] LOG:  incomplete startup packet

What could it mean?

Marco

Il giorno sab 28 set 2019 alle ore 23:49 Adrian Klaver <adrian.klaver@xxxxxxxxxxx> ha scritto:
On 9/28/19 12:07 AM, Marco Ippolito wrote:
> Hi Adrian,
>
> Il giorno ven 27 set 2019 alle ore 21:39 Adrian Klaver
> <adrian.klaver@xxxxxxxxxxx <mailto:adrian.klaver@xxxxxxxxxxx>> ha scritto:
>
>     On 9/27/19 11:02 AM, Marco Ippolito wrote:
>      > Thank you very much Adrian.
>      > Two things:
>      >
>      > 1)
>      >   Why if I just specify through port the cluster and the host
>     connection
>      > I connect correctly with SSL,
>      >   but if I specify also the database and the user it connects it
>     doesn't
>      > usel SSL connection, or at least it doesn't say it uses SSL? :
>
>
>     Can you show the contents of  pg_hba.conf file for the 11/fabmnet
>     cluster. The file will be in:
>
>     /etc/postgresql/11/fabmnet/
>
>
>
>
> /etc/postgresql/11/fabmnet/pg_hba.conf  :
>
> # Database administrative login by Unix domain socket
> local   all             postgres                                peer
>
> # TYPE  DATABASE        USER            ADDRESS                 METHOD
>
> # "local" is for Unix domain socket connections only
> local   all             all                                     peer
> # IPv4 local connections:
> host    all             all 127.0.0.1/32 <http://127.0.0.1/32>           
>   md5
>
> # Allow connections from localhost only to fabmnet_ca for postgres user
> hostssl fabmnet_ca      postgres        localhost               cert
>
> # IPv6 local connections:
> host    all             all             ::1/128                 md5
> # Allow replication connections from localhost, by a user with the
> # replication privilege.
> local   replication     all                                     peer
> host    replication     all 127.0.0.1/32 <http://127.0.0.1/32>           
>   md5
> host    replication     all             ::1/128                 md5
>

> fabric-ca-server-config.yaml : sslmode=require
> db:
>    type: postgres
>    datasource: host=localhost port=5433 user=postgres password=1234
> dbname=fabmnet_ca sslmode=require
>    tls:
>        enabled: false
>        certfiles:
>        client:
>          certfile:
>          keyfile:

You are not including the certs or setting tls.enabled: true. Not sure
that is the root cause at the moment.

I would try just going through psql for the time being to take the
fabric server out of the loop. Something like:

psql "host=localhost port=5433 dbname=fabmnet_ca user=postgres
sslmode=require"

 From below I am guessing you do not have the SSL certs setup properly
for the fabmnet Postgres instance(the one on port 5433) and/or on the
client. Take a look at:

https://www.postgresql.org/docs/11/libpq-ssl.html

>
>
> (base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server init -b admin:adminpw
> 2019/09/28 09:00:08 [INFO] Configuration file location:
> /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
> 2019/09/28 09:00:08 [INFO] Server Version: 1.4.4
> 2019/09/28 09:00:08 [INFO] Server Levels: &{Identity:2 Affiliation:1
> Certificate:1 Credential:1 RAInfo:1 Nonce:1}
> 2019/09/28 09:00:08 [INFO] The CA key and certificate already exist
> 2019/09/28 09:00:08 [INFO] The key is stored by BCCSP provider 'SW'
> 2019/09/28 09:00:08 [INFO] The certificate is at:
> /home/marco/fabric/fabric-ca/ca-cert.pem
> 2019/09/28 09:00:08 [WARNING] Failed to connect to database 'fabmnet_ca'
> 2019/09/28 09:00:08 [ERROR] Error occurred initializing database: Failed
> to create Postgres tables: Error creating users table: pq: client
> certificates can only be checked if a root certificate store is available
> 2019/09/28 09:00:08 [INFO] Home directory for default CA:
> /home/marco/fabric/fabric-ca
> 2019/09/28 09:00:08 [INFO] Initialization was successful
>
>
> /var/log/postgresql/postgresql-11-fabmnet.log  :
>
> 2019-09-28 09:00:08.634 CEST [4226] postgres@fabmnet_ca FATAL:  client
> certificates can only be checked if a root certificate store is available
> 2019-09-28 09:00:08.641 CEST [4227] postgres@postgres ERROR:  database
> "fabmnet_ca" already exists
> 2019-09-28 09:00:08.641 CEST [4227] postgres@postgres STATEMENT:  CREATE
> DATABASE fabmnet_ca
> 2019-09-28 09:00:08.644 CEST [4228] postgres@fabmnet_ca FATAL:  client
> certificates can only be checked if a root certificate store is available
> 2019-09-28 09:00:08.650 CEST [4227] postgres@postgres LOG:  could not
> receive data from client: Connection reset by peer
>


--
Adrian Klaver
adrian.klaver@xxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]

  Powered by Linux