Postgres ssl doesn't seem to be enforcing ssl
See original GitHub issueCrateDB version
4.6.3
CrateDB setup information
Num nodes: 15 Heap (master=8g, data=30g, ingest=12g, query=30g)
Crate.yml (relevant part)
psql.enabled: false
psql.port: 5432
transport.tcp.compress: true
ssl.transport.mode: on
ssl.keystore_filepath: /path/to/file.p12
ssl.keystore_password: password123
ssl.keystore_key_password: password123
ssl.truststore_filepath: /path/to/file.p12
ssl.truststore_password: password456
ssl.http.enabled: true
ssl.psql.enabled: true
Steps to Reproduce
We’re using HAProxy to connect to the multiple query/ingest nodes and for whatever reason, haproxy won’t talk to crate’s psql unless we remove the ssl portion. HTTP works as expected.
Our simple haproxy config for this purpose:
listen http-crate-psql
bind: *:5432
mode tcp
option psql-check user crate
timeout server 15m
balance leastconn
server one my-crate-one.my-fqdn:5432 check ssl crt /path/to/mycert.pem ca-file /path/to/mycert.crt ssl-min-ver TLSv1.2 verify required
server two my-crate-two.my-fqdn:5432 check ssl crt /path/to/mycert.pem ca-file /path/to/mycert.crt ssl-min-ver TLSv1.2 verify required
If I remove the SSL portions to postgres in the haproxy config, it connects/works as-expected and that’s with the ssl.psql.enabled: true
Expected Result
I expect haproxy to connect to crate’s psql port with ssl and allow me to start sending queries
Actual Result
The healthchecks fail (and yes, I’ve tried removing them) and haproxy fails to connect to crate’s postgres port
Issue Analytics
- State:
- Created 2 years ago
- Comments:8 (4 by maintainers)
Top Results From Across the Web
Enabling and Enforcing SSL/TLS for PostgreSQL Connections
Enabling SSL in PostgreSQL is very straightforward and here go through the steps and check/validate the connections are indeed using the ...
Read more >15: 19.9. Secure TCP/IP Connections with SSL - PostgreSQL
PostgreSQL has native support for using SSL connections to encrypt ... There are two approaches to enforce that users provide a certificate during...
Read more >Postgres still connecting via SSL - despite invalid certificates
I'm hoping for a situation where the connection is rejected because the certificate is invalid - am I missing something? Any help appreciated...
Read more >How to enforce client to use SSL for postgresql?
localhost. It works for the node project. pgAdmin is still able to connect without httpS on http://127.0.0.1:53819/browser/ . Thank you!
Read more >Non-ssl Postgres connection fails · Issue #1905 - GitHub
Hey folks, I'm trying to run Metabase against a Postgres installation that does not need/support SSL (because all traffic can be trusted.)
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I was able to verify psql works with the cert, so it seems to be an haproxy issue where it doesn’t understand how to interact with postgres as the logs specify the protocol being used is
1.1
when psql uses3.0
We’re working on switching to pgpool which I’m sure will work just fine…Appreciate all your help!
Could you enable it while keeping other configs?
Could you try another cert where username is the CN of the cert?
Could you also update HBA config and add
method: cert
to those entries?Also, might be useful to enable debug logging for the
io.crate.protocols
package to get more insights - it’s possible to do it in the runtime - smth likeset global transient 'logger.io.crate.protocols' = 'DEBUG';