Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Not respecting jdbc args?

See original GitHub issue
Which version and edition of Flyway are you using?

Flyway gradle plugin: 6.4.3

Which client are you using? (Command-line, Java API, Maven plugin, Gradle plugin)

Gradle plugin

Which database are you using (type & version)?

Postgres 12

Which operating system are you using?

MacOS

What did you do?

(Please include the content causing the issue, any relevant configuration settings, the SQL statement that failed (if relevant) and the command you ran.) I ran ./gradlew -Dflyway.configFiles=config.flyway flywayMigrate

with a config file that looks like :

flyway.url=jdbc:postgresql://127.0.0.1:5432/db_name?ssl=true&sslmode=verify-ca&sslrootcert=/path/to/server-ca.pem&sslkey=/path/to/client-key.pem&sslcert=/path/to/client-cert.pem
flyway.user=postgres
flyway.password=redacted
What did you expect to see?

A successful migration

What did you see instead?
 SQL State  : 28000
  Error Code : 0
  Message    : FATAL: connection requires a valid client certificate
  
  FATAL: connection requires a valid client certificate

I have confirmed that I can connect via psql or DataGrip with these files. With DataGrip I can copy paste that jdbc url and it works great. I’m not entirely convinced this is due to something in flyway, but I can’t seem to reproduce this outside of flyway. Any ideas is flyway messes with/doesn’t understand jdbc URLs?

Is there a better way to configure SSL with custom certs?

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:8 (1 by maintainers)

github_iconTop GitHub Comments

2reactions
nat-sercommented, Apr 15, 2022

For anyone struggling with this, @cyrbil is on point. I want to add a specific example of what worked for me applying his comment.

On Mac, jdbc driver. My original client key is .pem and the certs are .crt

# convert key to PK8+DER format
openssl pkcs8 -topk8 -inform PEM -outform DER -in $PGSSL_CLIENT_KEY_PATH -out client_key.pk8 -nocrypt
FORMATTED_KEY=client_key.pk8

# set permissions on client key
chmod 0600 $FORMATTED_KEY

# run flyway migrate
flyway \
-locations="filesystem:/seismic/webhook/sql/flyway_revisions/webhook" \
-url="jdbc:postgresql://${PGHOST}/${PGDATABASE}?sslmode=verify-ca" \
-jdbcProperties.sslcert=${PGSSL_CLIENT_CERT_PATH} \
-jdbcProperties.sslrootcert=${PGSSL_SERVER_CERT_PATH} \
-jdbcProperties.sslkey=${FORMATTED_KEY} -user=$PGUSER -password=$PGPASSWORD migrate

Above also works with the jdbc properties passed as params in the url, like @bit-void was doing

1reaction
cyrbilcommented, Jun 1, 2021

Just as information for the wanderers that could stumble on this issue:

To succesfully use JDBC arguments:

  • Certificates (root and client) should be in X509+PEM format
  • Certificates can have any extension (tested with pem and crt)
  • Certificates should be readable (duh!)
  • Private key should be in PK8+DER format
  • Private key should end with extension .pk8
  • Private key should be owner read only (chmod 600 # or 400)
  • The default files should not exist (ie: for postgresql, $HOME/.postgresql/{postgresql.crt,postgresql.pk8,root.crt} should not exist) (not really necessary, but it avoids a headache)

The error connection requires a valid client certificate, is returned by the server because no certificates was sent (you can see that using JAVA_ARGS=-Djavax.net.debug=all and observe No available client authentication, meaning JDBC did not find a suitable certificate and will use an empty Certificate message instead. The reason could be one of:

  • Any of the rules mentionned above is not respected
  • Certificat does not suit the CertificateRequest handshake message (Either by Type, Signature Algorithm, or Certificate Authority). Use the JAVA_ARGS=-Djavax.net.debug=all to see what the server is expecting and openssl x509 to see what the certificate offers.
Read more comments on GitHub >

github_iconTop Results From Across the Web

What is the best approach using JDBC for parameterizing an ...
SELECT * FROM MYTABLE WHERE MYCOL in (?). And I want to parameterize the arguments to in. Is there a straightforward way to...
Read more >
JDBC Driver Connection Parameter Reference
Specifies whether to allow underscores in account names. The JDBC Driver does not support underscores in URLs, which include the account name, so...
Read more >
New behavior for parameters not setted with Ingres 2006 ...
New behavior for parameters not setted with Ingres 2006 JDBC driver “Expecting more arguments”. Behavior for processing the dynamic parameters changed ...
Read more >
Using Prepared Statements - JDBC Basics - Oracle Help Center
No arguments are supplied to executeUpdate when they are used to execute updateSales and updateTotals ; both PreparedStatement objects already contain the SQL ......
Read more >
Using named parameters in CALL statements in JDBC ... - IBM
You can use named parameters in either or both of the following places in a JDBC application: In the CALL statement. With named...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Migrations in sqlite returns no error but it doesn't do anything

Next page

java.lang.ClassNotFoundException is raised when referring to the flyway.callbacks property