Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Postgres ssl doesn't seem to be enforcing ssl

See original GitHub issue

CrateDB version

4.6.3

CrateDB setup information

Num nodes: 15 Heap (master=8g, data=30g, ingest=12g, query=30g)

Crate.yml (relevant part)

psql.enabled: false
psql.port: 5432

transport.tcp.compress: true

ssl.transport.mode: on
ssl.keystore_filepath: /path/to/file.p12
ssl.keystore_password: password123
ssl.keystore_key_password: password123
ssl.truststore_filepath: /path/to/file.p12
ssl.truststore_password: password456
ssl.http.enabled: true
ssl.psql.enabled: true

Steps to Reproduce

We’re using HAProxy to connect to the multiple query/ingest nodes and for whatever reason, haproxy won’t talk to crate’s psql unless we remove the ssl portion. HTTP works as expected.

Our simple haproxy config for this purpose:

listen http-crate-psql
  bind: *:5432
  mode tcp
  option psql-check user crate
  timeout server 15m
  balance leastconn
  server one my-crate-one.my-fqdn:5432 check ssl crt /path/to/mycert.pem ca-file /path/to/mycert.crt ssl-min-ver TLSv1.2 verify required
  server two my-crate-two.my-fqdn:5432 check ssl crt /path/to/mycert.pem ca-file /path/to/mycert.crt ssl-min-ver TLSv1.2 verify required

If I remove the SSL portions to postgres in the haproxy config, it connects/works as-expected and that’s with the ssl.psql.enabled: true

Expected Result

I expect haproxy to connect to crate’s psql port with ssl and allow me to start sending queries

Actual Result

The healthchecks fail (and yes, I’ve tried removing them) and haproxy fails to connect to crate’s postgres port

Issue Analytics

State:
Created 2 years ago
Comments:8 (4 by maintainers)

Top GitHub Comments

1reaction

bputt-ecommented, Sep 30, 2021

I was able to verify psql works with the cert, so it seems to be an haproxy issue where it doesn’t understand how to interact with postgres as the logs specify the protocol being used is 1.1 when psql uses 3.0

We’re working on switching to pgpool which I’m sure will work just fine…Appreciate all your help!

0reactions

BaurzhanSakharievcommented, Sep 28, 2021

psql.enabled: false

Could you enable it while keeping other configs?

I modified the HAProxy conf for user my-user.my.fqdn.comThe user my-user.my.fqdn.com is the DN of the cert

Could you try another cert where username is the CN of the cert?

1: protocol: pg ssl: on 2: protocol: http ssl: on

Could you also update HBA config and add method: cert to those entries?

Also, might be useful to enable debug logging for the io.crate.protocols package to get more insights - it’s possible to do it in the runtime - smth like set global transient 'logger.io.crate.protocols' = 'DEBUG';