I am configuring a feature store called FEAST in GCP. I did all the requires steps and I can create and deploy infrastructure.
Now, I have enabled the SSL for Postgresql and I can connect to Postgres DB directly as I have created the SSL certs(client-cert.pem, client-key.pem and server-ca.pem). But, doing the exact process to generate and deploy infrastructure with the feast apply is throwing an error.
The error says ""psycopg2.OperationalError: connection to server at "xx.xxx.xx.x", port 0000 failed: FATAL: connection requires a valid client certificate
connection to server at "xx.xxx.xx.x", port 0000 failed: FATAL: pg_hba.conf rejects connection for host "xx.xxx.xx.x", user "postgres", database "postgres", SSL off ""
Any help and advice is much appreciated!!
Related
I am following this post to enable ssl on Postgres 14 for logical replication. Then try to make connection on client:
CREATE SUBSCRIPTION my-sub
CONNECTION 'host=my-domain.com dbname=my-db user=my-username password=xxxxxx'
PUBLICATION my-pub;
It throws error:
2022-05-12 13:51:36.047 PDT [37340] ERROR: could not connect to the publisher: connection to server at "my_domain.com" (xxx.xxx.xxx.141), port 5432 failed: could not initiate GSSAPI security context: The operation or option is not available: Credential for asked mech-type mech not found in the credential handle
connection to server at "my_domain.com" (xxx.xxx.xxx.141), port 5432 failed: FATAL: connection requires a valid client certificate
connection to server at "my-domain.com" (xxx.xxx.xxx.141), port 5432 failed: FATAL: no pg_hba.conf entry for host "xxx.xxx.xxx.199", user "my-username", database "my-db", no encryption
On my-pub server, one line was added to pg_hba.conf:
hostssl all all 0.0.0.0/0 scram-sha-256 clientcert=verify-full
On sub client, the ca file is setup as below:
ssl_ca_file = '/usr/local/var/postgres/root.crt'. //<<==client cert copied from pub server.
Mostly people just use serve certs. Using client certs is unusual, I would say especially in the case of a logical replication subscriber. But if you do actually want the publisher to demand client certs, it is not configured incorrectly to that purpose (or at least, not that we can tell from the current data). The publisher is demanding a client cert, but the subscriber is not offering one. The configuration problem is on the subscriber.
Note that in this case the subscriber will be acting as the client to connect to the publisher, not acting in the role of a server. It uses the libpq client library to do that, and so the configuration of it is not based on the contents of postgresql.conf. In particular, ssl_ca_file is a server configuration option, not client configuration.
So the way to do this would be for the CONNECTION to look something like
'host=my-domain.com dbname=my-db user=my-username password=xxxxxx sslcert=/foobar/my-username.crt sslkey=/foobar/my-username.key'
But for this to work, the cert and key would need to be on the subscriber computer, readable to whomever owns the postgres process. Which already renders any security benefit dubious.
I'm trying to make a connection to a PostgreSQL database which is located in a remote server using Talend Open Studio for Big Data v7.3.1
the problem is that the server requires SSL certificates. I tried many ways but It still fails.
Here are the connection strings that I tried and the log errors in TOS BD
1)With ssl mode disable jdbc:postgresql://xx.xx.xx.xx:5432/dbName?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory&sslmode=disable
Exception in component tDBConnection_1 (DB_Connection)
org.postgresql.util.PSQLException: FATAL: pg_hba.conf rejects connection for host "my.ip.address.here", user "user", database "databasename", SSL off
2)Without specifying ssl mode (it means it takes the default mode) jdbc:postgresql://xx.xx.xx.xx:5432/dbName?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory
org.postgresql.ssl.PGjdbcHostnameVerifier verify
GRAVE: Server name validation failed: hostname xx.xx.xx.xx does not match common name xxxxx
Exception in component tDBConnection_1 (DB_Connection)
org.postgresql.util.PSQLException: The hostname xx.xx.xx.xx could not be verified by
hostnameverifier PgjdbcHostnameVerifier
3)If I omit SSL parameters part in the connection like this jdbc:postgresql://xx.xx.xx.xx:5432/dbName? it asks for a valid client certificate.
NB:I can connect to the database using the pgadmin the problem is with Talend open Studio
The solution is to put the certificates locations in the connection string with specifying the ssl mode :
ssl=true&sslmode=prefer&sslcert=DirectoryToSslCertificates/client.crt&sslkey=DirectoryToSslCertificates/clientkey.pk8&sslrootcert=DirectoryToSslCertificates/root.crt
(dont forget to change the certificates formats with openssl commands,I had .pem files)
I've created an AWS RDS database instance and I've created a new server connection on pgAdmin. It's connecting but when I click on the database I get the below error message. What kind of things could I be doing wrong? ( I get the same error on PSQL too)
" The operation or option is not available
could not initiate GSSAPI security context: Credential for asked mech-type mech not found in the credential handle
FATAL: pg_hba.conf rejects connection for host "86.159.85.29", user "postgres", database "rdsadmin", SSL on
FATAL: pg_hba.conf rejects connection for host "86.159.85.29", user "postgres", database "rdsadmin", SSL off"
You must use SSL when authenticating via RDS IAM authentication. The message you're receiving hints at this by saying SSL off.
Please help with the following problem ...
OS - Windows.
I want to configure SSL on Postgresql 12.
Then my Java application will add entries to the database, delete, etc.
I created certificates: CA, server, client.
CA and server are located in the directory C:\Program Files\PostgreSQL\12\data
The client is located in C:\Users\User\AppData\postgresql
Then I added CA certificate to trusted in Windows.
Configs:
pg_hba:
hostnossl all all 0.0.0.0/0 reject
hostssl all all 0.0.0.0/0 cert clientcert=1
postgresql.conf:
ssl = on
ssl_ca_file = 'root.crt'
I can connect server throw pgAdmin with my certificates, but there are some errors in cmd (and java)
Thant's what I tried to do in cmd
psql.exe -U postgres -h 127.0.0.1
Result:
SSL: certificate verify failed
FATAL: pg_hba.conf rejects connection for host "127.0.0.1", user "postgres", database "prod", SSL off
Logs:
tlsv1 alert unknown ca
FATAL: pg_hba.conf rejects connection for host "127.0.0.1", user "postgres", database "prod", SSL off
Please, tell me what's can be wrong and how can I fix it...
Also I did not find information, how to transfer my certificates to the database from Java application. Maybe, anybody can help me with that problem))
Thanks!
use this in your connection string and it will work:
ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory
Then I added CA certificate to trusted in Windows.
psql does not integrate with the Windows certificate manager. The CA to be used by the client needs to go in %APPDATA%\postgresql\root.crt, or if elsewhere its location must be specified by a connection parameter (sslrootcert) or environment variable (PGSSLROOTCERT). These must be files, I don't think there is way to say "go get it from the cert manager".
I think jdbc is the same way, it does not integrate with the Windows cert manager either, for how to specify the locations see https://jdbc.postgresql.org/documentation/head/ssl-client.html
SSL: certificate verify failed FATAL: pg_hba.conf rejects connection for host "127.0.0.1", user "postgres", database "prod", SSL off
Maybe you already know this, but first it tried using SSL and failed to verify the cert (it does not make it clear which side failed, the client cert or the server cert), then it tried to fall back to no SSL and got rejected by the pg_hba. If you had set the client's sslmode to "require" or higher, it would not have tried to fall back to the no SSL, it would have stopped at the first error.
Provisioned an IBM Cloud Compose PostgreSQL instance. Then tried to connect the instance to the Watson Studio.
Although establishing a connection works fine, when I try to save retraining configuration getting the following error message.
Error: Unhandled exception of type PSQLException with message: FATAL: no pg_hba.conf entry for host "", user "", database "", SSL off
I do not think I can ssh to the db host and just change the pg_hba.conf file.
I do not think this is a possibility as the IBM Cloud Compose PostgreSQL is server less instance (I think).
How do I resolve this ?
How do you connect? Do you use a connection asset? Is this connection asset using the "Compose for PostgreSQL" or "PostgreSQL" type of connection? The "Compose for PostgreSQL" type of connection asset uses TLS, so should work.
This error message means you are trying to connect to the Database without TLS. Databases for PostgreSQL will reject unsecured connections.
https://cloud.ibm.com/docs/services/databases-for-postgresql?topic=databases-for-postgresql-security-compliance#protection-against-unauthorized-access
https://cloud.ibm.com/docs/services/databases-for-postgresql?topic=databases-for-postgresql-external-app
You have to add all the nodes accessing Postgres to pg_hba.conf file in the postgres server. For example,if the CIDR for the nodes connecting to Postgres is 192.168.1.0/24, then an entry like the following is required.
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only local all all peer
# IPv4 local connections:
#host all all 127.0.0.1/32 ident host all all 192.168.1.0/24 trust
You have to find where to do this in IBM Cloud