I am trying to connect to a serverless Aurora serverless PostGRESQL RDS instance with SSL, but in vain.
My RDS lies on a private subnet group (2 private subnets) and I am trying to connect from an EC2 instance lying in public subnet.
What works:
psql -h "mydb.cluster-cyjoviss5z9y.eu-central-1.rds.amazonaws.com" -p 5432 -d "dbname=mydb user=postgres password=NVMXeyQRXIzW50xx"
psql (9.2.24, server 10.7)
WARNING: psql version 9.2, server version 10.0.
Some psql features might not work.
SSL connection (cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256)
Type "help" for help.
mydb=
However, this doesn't work:
psql -h "mydb.cluster-cyjoviss5z9y.eu-central-1.rds.amazonaws.com" -p 5432 -d "dbname=mydb user=postgres password=NVMXeyQRXIzW50xx sslmode=verify-ca"
Error:
psql: root certificate file "/home/ec2-user/.postgresql/root.crt" does not exist
OR
psql: SSL error: certificate verify failed
The same above command with sudo works, but when I verify the connection it still says:
mydb=> select ssl_is_used();
ssl_is_used
-------------
f
(1 row)
So I downloaded the root certificate from here, as suggested in this page. It even mentions that AWS Serverless instances don't require the root certificate to be downloaded.
I converted the PEM file into CRT using this. I tried giving the root.crt file with 777 and 600 permissions, both didn't help.
Any hints on what can possibly go wrong here?
Apparently AWS still doesn't support SSL connections for Postgres Aurora databases yet!
Related
I have a kong services which is in failed status with below error message from journalctl
/usr/local/share/lua/5.1/kong/cmd/migrations.lua:213: [PostgreSQL error] failed to retrieve PostgreSQL server_version_num: FATAL: password authentication failed for user "konguser"
postgres information from Kong.conf as below
cat /etc/kong/kong.conf|grep -i pg
pg_host = xxxx.yyyyy.ap-south-1.rds.amazonaws.com
pg_port = 5432 # Port of the Postgres server.
pg_user = konguser # Postgres user.
pg_password = "zzzzzzz" # Postgres user's password.
pg_database = kong_db # The database name to connect to.
Troubleshooted the same by trying to connect the same manually using psql as below and it worked
[root#ip-10-0-2-30 system]# psql -U konguser -p 5432 -h xxxx.yyyyy.ap-south-1.rds.amazonaws.com -d kong_db
Password for user konguser:
psql (10.15, server 10.9)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
kong_db=>
Not sure what is causing the failure.Could you please help to troubleshoot
Looks like your rds instance is using ssl.
Default kong configuration is without ssl.
https://docs.konghq.com/gateway-oss/2.4.x/configuration/#postgres-settings
Two solution, remove ssl from rds, or activate it on kong side with
pg_ssl=on
I'm trying to get my GCP Compute Engine instance, Ubuntu 16.04, connected to a GCP Cloud SQL PostgreSQL database.
I've followed all the instructions in the documentation, but when I enter the command to connect to the database:
psql -h [CLOUD_SQL_PUBLIC_IP_ADDR] -U postgres
The result is:
psql: FATAL: Peer authentication failed for user "postgres"
I've done the authentication on both the CloudSQL side and the ComputeEngine side, so I'm not sure why this is going wrong.
The database I'm trying to connect to is in the same project, and the command
gcloud sql instances list
shows the database in the listings. However, the command
sudo -u postgres psql my-db
returns
psql: FATAL: database "my-db" does not exist
The expected result is that a psql connection opens, but instead I get a psql: FATAL: Peer authentication failed for user "postgres".
I've followed the instructions from the documentation you posted and I was able to connect successfully from my Compute Engine instance (Ubuntu 16.04) using a public IP address.
The steps I've followed are documented in "Connecting using a public IP address":
1- Added a static IPv4 IP address to the Compute Engine instance. To do this, navigate to the Cloud console > VPC Network > External IP addresses and click in the button "Reserve static address".
2- Authorize the static IP address of the Compute Engine instance as a network that can connect to the Cloud SQL instance.
3- Connect via SSH button to your Compute Engine instance.
4- Install the psql client:
$ sudo apt-get update
$ sudo apt-get install postgresql-client
5- find the CLOUD_SQL_PUBLIC_IP_ADDR
$ gcloud sql instances list:
6- And connect to the Cloud SQL instance with the psql client making sure both user and database do exist:
$ psql -h [CLOUD_SQL_PUBLIC_IP_ADDR] -U [USER] -d [DATABASE]
Also, the command below worked fine for me:
$ psql [USER] -h [CLOUD_SQL_PUBLIC_IP_ADDR] -d [DATABASE]
Then you will be asked for the user's password and voilĂ .
Could you please try following the instructions above to verify if it works fine for you?
Did you configure an encrypted connection before using SSL?
I have added a configured postgres database add-on to a heroku app.
When I try to connect to the database outside the heroku (from my local machine) it always gives an error
SSL SYSCALL error: Connection reset by peer (0x00002746/10054)
I have tried connection from Heroku CLI as well as PGAdmin. I have tried configuring SSL mode to Require.
psql -h ec2-79-125-6-82.eu-west-1.compute.amazonaws.com -U d168639egmjee csjpgbglovnmah
Any idea how can I connect to the postgres DB added in heroku app?
Any help will be appreciated.
My steps I did (psql v. 9.3):
create psql user with password
give him access to relevant databases
allow connection from the outside (psql conf)
and put "hostssl all all 0.0.0.0/0 trust" in pg_hba.conf
Do I need to create a key now to be able to connect?
How can I test that key if it works?
Thanks for help.
Read the documentation.
If you didn't do that already, you'll have to configure the PostgreSQL server for SSL: create server.crt and server.key in the PostgreSQL data directory, set ssl = on in postgresql.conf and restart the server.
You don't need a client certificate or key to connect to the server.
To test if your setup works, just connect with psql.
If SSL is used, it will look as follows:
$ psql -d test -h 127.0.0.1
psql (9.3.13)
SSL connection (cipher: DHE-RSA-AES256-GCM-SHA384, bits: 256)
Type "help" for help.
test=#
Change the trust to md5 (EXTREMELY IMPORTANT)
try to connect over psql from another system using different ssl settings (see the psql man page for this).
If you want to require a cert, then there are additional steps to do, but that's not specified in your question. And cert authentication is possible but an advanced topic.
I am trying to configure ssl certificate for PostgreSQL server. I have created a certificate file (server.crt) and key (server.key) in data directory and update the parameter SSL to "on" to enable secure connection.
I just want only the server to be authenticated with server certificates on the client side and don't require the authenticity of client at server side. I am using psql as a client to connect and execute the commands.
I am using PostgreSQL 8.4 and Linux. I tried with the below command to connect to server with SSL enabled
psql "postgresql://localhost:2345/postgres?sslmode=require"
but I am getting
psql: invalid connection option "postgresql://localhost:2345/postgres?sslmode"
What am doing wrong here? Is the way I am trying to connect to server with SSL mode enabled is correct? Is it fine to authenticate only server and not the client ?
psql below 9.2 does not accept this URL-like syntax for options.
The use of SSL can be driven by the sslmode=value option on the command line or the PGSSLMODE environment variable, but the default being prefer, SSL connections will be tried first automatically without specifying anything.
Example with a conninfo string (updated for psql 8.4)
psql "sslmode=require host=localhost dbname=test"
Read the manual page for more options.
psql --set=sslmode=require -h localhost -p 2345 -U thirunas \
-d postgres -f test_schema.ddl
Another Example for securely connecting to Azure's managed Postgres database:
psql --file=product_data.sql --host=hostname.postgres.database.azure.com --port=5432 \
--username=postgres#postgres-esprit --dbname=product_data \
--set=sslmode=verify-full --set=sslrootcert=/opt/ssl/BaltimoreCyberTrustRoot.crt.pem
Well, you could provide all the information with the following command in CLI, if a connection requires in SSL mode:
psql "sslmode=verify-ca sslrootcert=server-ca.pem sslcert=client-cert.pem sslkey=client-key.pem hostaddr=your_host port=5432 user=your_user dbname=your_db"
Found the following options useful to provide all the files for a self signed postgres instance
psql "host={hostname} sslmode=prefer sslrootcert={ca-cert.pem} sslcert={client-cert.pem} sslkey={client-key.pem} port={port} user={user} dbname={db}"
On psql client v12, I could not find option in psql client to activate sslmode=verify-full.
I ended up using environment variables :
PGSSLMODE=verify-full PGSSLROOTCERT=server-ca.pem psql -h your_host -U your_user -W -d your_db
psql "sslmode=require host=localhost port=2345 dbname=postgres" --username=some_user
According to the postgres psql documentation, only the connection parameters should go in the conninfo string(that's why in our example, --username is not inside that string)
psql -h <host> -p <port> -U <user> -d <db>
and update /var/lib/pgsql/10/data/pg_hba.conf to change the auth method to cert. Check the following link for more information:
https://www.postgresql.org/docs/9.1/auth-pg-hba-conf.html
Another pattern that worked with v8 is
psql -h host_name -p port -U user_name "dbname=db sslmode=require"