Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS with pgpool not working #17

Open
MatteoGioioso opened this issue Apr 8, 2022 · 6 comments
Open

TLS with pgpool not working #17

MatteoGioioso opened this issue Apr 8, 2022 · 6 comments

Comments

@MatteoGioioso
Copy link

MatteoGioioso commented Apr 8, 2022

Hello

I am trying to setup TLS certificates with pgpool and postgres to have a secure connection between client <-> pgpool <-> postgres.

As my understanding when using verify-ca the client will provide the root certificate of the CA for verification with the backend; same should happen with pgpool in the middle, my client will provide the root certificate to verify the connection with pgpool, then pgpool will become the client and provide the root certificate via ssl_ca_cert option, to verify with the postgres backend.

However pgpool seems to reject my ca, this is the link to the repro repository: https://github.com/MatteoGioioso/tls_issue_pgpool

Following those instructions, everything works by connecting directly to postgres:

  db_master:
    build:
      dockerfile: pg.Dockerfile
      context: .
    command: -c ssl=on -c ssl_cert_file=/tls/cert.crt -c ssl_key_file=/tls/cert.key
    environment:
      - POSTGRES_PASSWORD=postgres
      - POSTGRES_USER=postgres

Dockerfile:

FROM postgres:12

COPY cert.crt /tls/cert.crt
COPY cert.key /tls/cert.key
COPY root.crt /tls/root.crt

WORKDIR /tls
RUN chmod 600 cert.key
RUN chown postgres:postgres cert.key

This config will work with verify-ca:

psql "sslmode=verify-ca sslrootcert=root.crt host=localhost user=postgres port=5432"

psql (14.2 (Ubuntu 14.2-1.pgdg20.04+1), server 12.9 (Debian 12.9-1.pgdg110+1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)

However same setup, but with pgpool (you can check it from the repo I have linked) it does not work:

psql "sslmode=verify-ca sslrootcert=root.crt host=localhost user=postgres port=5432"

psql: error: connection to server at "localhost" (::1), port 5432 failed: SSL error: certificate verify failed

In the logs:

pg_pool_1     | 2022-04-08 08:37:46: pid 38: LOG:  using clear text authentication with frontend
pg_pool_1     | 2022-04-08 08:37:46: pid 38: DETAIL:  backend will still use md5 auth
pg_pool_1     | 2022-04-08 08:37:46: pid 38: HINT:  you can disable this behavior by setting allow_clear_text_frontend_auth to off
pg_pool_1     | 2022-04-08 08:37:47: pid 38: LOG:  pool_reuse_block: blockid: 0
pg_pool_1     | 2022-04-08 08:37:47: pid 38: CONTEXT:  while searching system catalog, When relcache is missed
pg_pool_1     | 2022-04-08 08:37:50: pid 40: LOG:  pool_ssl: "SSL_accept": "tlsv1 alert unknown ca"
@MatteoGioioso MatteoGioioso changed the title TLS with pgool not working TLS with pgpool not working Apr 8, 2022
@pengbo0328
Copy link
Collaborator

pengbo0328 commented Apr 9, 2022

Thank you for reporting this issue.

The Docker image doesn't support root.crt configuration. I think it cause this issue.
I am going to add ssl_ca_cert support.

@MatteoGioioso
Copy link
Author

@pengbo0328 Thanks for your reply.

The Docker image doesn't support root.crt configuration

I though that was under pool.conf, is there a build or startup option to allow it?

I am going to add ssl_ca_cert support.

That would be great, If you need help let me know. With some hints I could try to make a PR.

@pengbo0328
Copy link
Collaborator

I though that was under pool.conf, is there a build or startup option to allow it?

I have updated the Docker image to allow the custom TLS certificates and private key:
https://github.com/pgpool/pgpool2_on_k8s/blob/master/docs/index.md#tls-settings

However, sslrootcert is not supported yet.

That would be great, If you need help let me know. With some hints I could try to make a PR.

It would be appreciated if you could make a PR.

@MatteoGioioso
Copy link
Author

MatteoGioioso commented Apr 21, 2022

@pengbo0328
As my understanding you are not adding the root.crt into the pgpool.conf from the entrypoint.sh.

echo "ssl_ca_cert = '${PGPOOL_INSTALL_DIR}/tls/root.crt'" >> ${PGPOOL_INSTALL_DIR}/etc/pgpool.conf

Or is there something more that I am missing?

Thanks

@MatteoGioioso
Copy link
Author

MatteoGioioso commented Apr 25, 2022

@pengbo0328 I have added that line to the entrypoint.sh and tested again and it worked.

I have made a PR

@MatteoGioioso
Copy link
Author

@pengbo0328 Hey, did you have time to take a look at the PR? Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants