PostgreSQL SSL Configuration - postgresql

I have tried a lot but did't get exact knowledge to copy which files to client side
Getting error " Valid authentication certificate required"
Below is postgres DB server directory
total 80
skipping unwanted directory
-rw-------. 1 postgres postgres 1285 Feb 13 20:16 rootCA.crt
-rw-------. 1 postgres postgres 1168 Feb 13 20:16 server.crt
-rw-------. 1 postgres postgres 1679 Feb 13 20:17 server.key
Below is postgresql.conf file content related to SSL configuration.
[postgres#munmvs2951 raj]$ cat postgresql.conf | grep ssl
ssl = on # (change requires restart)
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on # (change requires restart)
#ssl_ecdh_curve = 'prime256v1' # (change requires restart)
#ssl_renegotiation_limit = 512MB # amount of data between renegotiations
ssl_cert_file = 'server.crt' # (change requires restart)
ssl_key_file = 'server.key' # (change requires restart)
ssl_ca_file = 'rootCA.crt' # (change requires restart)
#ssl_crl_file = '' # (change requires restart)
Below is the pg_hba file.
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local replication postgres trust
#host replication postgres 127.0.0.1/32 trust
#host replication postgres ::1/128 trust
#secure client
hostssl postgres postgres clientip/32 md5 clientcert=1
Below is the client side PostgreSQL user home directory from where psql will connect to server.
[postgres#clinet ~]$ ll
total 32
-rw------- 1 postgres postgres 1168 Feb 15 10:27 client.crt
-rw------- 1 postgres postgres 989 Feb 15 10:27 client.csr
-rw------- 1 postgres postgres 1285 Feb 15 11:47 rootCA.crt
-rw------- 1 postgres postgres 1675 Feb 15 11:47 rootCA.key
-rw------- 1 postgres postgres 17 Feb 15 11:47 rootCA.srl
-rw------- 1 postgres postgres 1168 Feb 15 11:47 server.crt
-rw------- 1 postgres postgres 989 Feb 15 11:47 server.csr
-rw------- 1 postgres postgres 1679 Feb 15 11:47 server.key
[postgres#client ~]$ pwd
/home/postgres
when i going to connect, getting below error.
[postgres#client ~]$ /opt/PostgresPlus/9.4AS/bin/psql -U postgres -p5443 -hserverip
psql.bin: FATAL: connection requires a valid client certificate
FATAL: no pg_hba.conf entry for host "10.80.x.x", user "postgres", database "postgres", SSL off
However, I can access without clientcert=1 in pg_hba file.
Ref:
[postgres#client ~]$ /opt/PostgresPlus/9.4AS/bin/psql -U postgres -p5443 -hserverip
psql.bin (9.4.1.3)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
postgres=#
In above successful connection, i think ssl checking only at server side not client side.
but i want to know which files should i copy to PostgreSQL home directory #client side. to check certificate as per clientcert=1
Thanks for your help.

See https://www.postgresql.org/docs/current/libpq-ssl.html
Below is the client side PostgreSQL user home directory from where psql will connect to server
They do not belong in the home directory, they belong in a subdirectory of the home directory named .postgresql. Or in Windows, in a directory named "%APPDATA% \ postgresql". And file rootCA.crt has to be named root.crt, unless you have gone out of your way to change the name/location on the client side configuration, which it doesn't seem you have done (you have changed it on the server side, but that doesn't change it on the client side). And client.crt should be named postgresql.crt and you are missing the key file for it. And the fact that you have a file named rootCA.key in the client's directory is frightening, no one but the CA should have access to that.

Related

Cannot connect Barman to PostgreSQL 12

I have 2 ubuntu-20.04 VM on VMWARE with Postgres 12 installed on each
pgprimary on ip 192.168.1.131
pgbackup on ip 192.168.1.130
barman CLI tools are installed on pgprimary
barman is installed on pgbackup
I want to backup data from pgprimary on pgbackupsame 2 users as Postgress users
on each machine I created
2 Linux sudoist users
useradd barman
useradd streaming_barman
also created the same two user as Postgress users
createuser --superuser --replication -P barman
createuser --superuser --replication -P streaming_barman
here are relevant parts on the configuration files
On pgprimary
postgressql.conf
listen_addresses = '*' # what IP address(es) to listen on;
port = 5432
archive_mode = on
archive_command = 'cp %p /var/lib/postgresql/12/arc/%f'
wal_level = replica
restore_command = 'cp /var/lib/postgresql/12/arc/%f %p'
recovery_target_time = '2021-03-24 16:18:11.319298+05:30'
recovery_target_inclusive = false
pg_hba.conf
local all postgres peer
# TYPE DATABASE USER ADDRESS METHOD
local all all peer
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
#local replication all peer
#host replication all 127.0.0.1/32 md5
#host replication all ::1/128 md5
# FOR TESTING
local replication all trust
host replication all 127.0.0.1/32 trust
host replication all ::1/128 trust
also did
firewall-cmd --permanent --add-port=5432/tcp
firewall-cmd --reload
========================
con
On pgbackup
sudo cat <<'EOF' >> /etc/barman.d/pgprimary.conf
[pgprimary]
description = "Example of PostgreSQL Database (Streaming-Only)"
conninfo = host=192.168.1.131 user=barman dbname=training
streaming_conninfo = host=192.168.1.131 user=streaming_barman dbname=training
backup_method = postgres
streaming_archiver = on
slot_name = barman
create_slot = auto
EOF
pg_hba.conf
cat <<'EOF' >>~/.pgpass
pgprimary:*:*:barman:barman
pgprimary:*:*:streaming_barman:barman
EOF
Then I did
barman cron
Output
Starting WAL archiving for server pgprimary
Starting streaming archiver for server pgprimary
barman check pgprimary
Then I get this error
[13643] barman.utils WARNING: Failed opening the requested log file. Using standard error instead.
Server pgprimary:
2021-10-30 21:39:15,982 [13643] barman.server ERROR: Check 'WAL archive' failed for server 'pgprimary'
WAL archive: FAILED (please make sure WAL shipping is setup)
2021-10-30 21:39:37,006 [13643] barman.postgres WARNING: Error retrieving PostgreSQL status: connection to server at "192.168.131" (192.168.0.131), port 5432 failed: Connection refused
2021-10-30 21:39:58,021 [13643] barman.server ERROR: Check 'check timeout' failed for server 'pgprimary'
check timeout: FAILED (barman check command timed out)
Why cannot connect barman to the server ?
UPDATE:
psql -h 192.168.1.131 -U barman -d training
Password for user barman:
psql (12.8 (Ubuntu 12.8-0ubuntu0.20.04.1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.
I also can connect to server via netstat

Is it needed to use more than one computer for master slave replication?

I am trying to create master slave replication physically with postgresql11 in debian10. I got same errors from different linux dists so is it something related making the replication in same computer? Or something related with master-slave accounts ?
root#dlp:~# vi /etc/postgresql/11/main/postgresql.conf
listen_addresses = '*'
wal_level = replica
synchronous_standby_names = '*'
wal_keep_segments = 10
I configured the pg_hba.conf as follows:
#host replication all 127.0.0.1/32 md5
#host replication all ::1/128 md5
host replication rep_user 127.0.0.1/32 trust
host replication rep_user 10.0.0.30/32 trust
host replication rep_user 10.0.0.51/32 trust
After this segment:
#i didnt create new user as node1 i just used my root/postgres account for all the processes
root#node01:~# systemctl stop postgresql
root#node01:~# rm -rf /var/lib/postgresql/11/main/*
root#node01:~# su - postgres
postgres#node01:~$ pg_basebackup -R -h dlp.srv.world -U rep_user -D /var/lib/postgresql/11/main -P
I got the following error:
pg_basebackup: could not connect to server: could not connect to server: Connection refused
Is the server running on host "dlp.srv.world" (180.43.145.38) and accepting
TCP/IP connections on port 5432?
also in the root account postgres is working fine but i doest show that port 5432 listening?
netstat -nlt
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp6 0 0 ::1:631 :::* LISTEN
when i check the status of "postgresql" is says active but when i type :
systemctl status postgresql#11-main
Dec 14 06:20:52 debian postgresql#11-main[6260]: Error: /usr/lib/postgresql/11/bin/pg_ctl /
Dec 14 06:20:52 debian postgresql#11-main[6260]: pg_ctl: directory "/var/lib/postgresql/11/
Dec 14 06:20:52 debian systemd[1]: postgresql#11-main.service: Can't open PID file /run/pos
Dec 14 06:20:52 debian systemd[1]: postgresql#11-main.service: Failed with result 'protocol
Dec 14 06:20:52 debian systemd[1]: Failed to start PostgreSQL Cluster 11-main.
i got that error.

Cannot run psql in PostgreSQL 9.5

I am using PostgreSQL 9.5 on Ubuntu 16.04 LTS.
I receive the below error when I type psql:
psql: could not connect to server: No such file or directory
Is the server running locally and accepting
connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?
On checking the logs in /var/log/postgresql/postgresql-9.5-main.log, I see the error as:
2018-11-26 13:17:41 IST [3508-1] FATAL: could not access private key file "/etc/ssl/private/ssl-cert-snakeoil.key": Permission denied
Below are the permissions of the /etc/ssl/private and ssl-cert-snakeoil.key files:
vivek#vivek-ThinkPad-E480:~$ ls -l /etc/ssl
total 36
drwxr-xr-x 2 root root 20480 Nov 22 13:06 certs
-rwxr-xr-x 1 root root 10835 Dec 8 2017 openssl.cnf
drwxr--r-- 2 root ssl-cert 4096 Nov 22 13:06 private
vivek#vivek-ThinkPad-E480:~$ sudo ls -l /etc/ssl/private
total 4
-rw-r----- 1 root ssl-cert 1704 Nov 22 13:06 ssl-cert-snakeoil.key
The postgres user is also added to the group ssl-cert.
vivek#vivek-ThinkPad-E480:~$ getent group ssl-cert
ssl-cert:x:112:postgres
NOTE: I found that there is no server.key present in /var/lib/postgresql/9.5/main.
I also posted this on DBA Stackexchange, but no response as yet.
Can anyone guide me in the right direction in setting permissions?
That can never work, and your server will not be able to start, because the OS user postgres has no permissions to access files in etc/ssl/private.
To allow users in the group ssl-cert to access files in the directory, run
chmod g+x /etc/ssl/private
While you're at it, make sure that /etc/ssl has the required permissions.
To test if everything works, become user postgres and try to read the file.

Postgres replication not starting due to wal error

I am using postgres version 9.3.2 on two servers one master, one primary.
I am setting up replication as follows:-
On master:-
sudo -u postgres psql -c "CREATE USER replicator REPLICATION LOGIN ENCRYPTED PASSWORD 'FOO’;"
Edit postgresql.conf
listen_address = '*'
wal_level = hot_standby
max_wal_senders = 32
checkpoint_segments = 8
wal_keep_segments = 100
Edit pg_hba.conf
hostssl replication replicator <SLAVE IP>/32 md5
On Slave:-
Edit postgresql.conf
wal_level = hot_standby
max_wal_senders = 3
checkpoint_segments = 8
wal_keep_segments = 8
hot_standby = on
Run
sudo service postgresql stop
sudo -u postgres rm -rf /var/lib/postgresql/9.3/main
sudo -u postgres pg_basebackup -h <MASTER IP> -D /var/lib/postgresql/9.3/main -U replicator -v -P
CREATE /var/lib/postgresql/9.3/main/recovery.conf
standby_mode = 'on'
primary_conninfo = 'host=<MASTER IP> port=5432 user=replicator password=FOO sslmode=require'
trigger_file = '/tmp/postgresql.trigger'
Run:-
sudo service postgresql restart
When I restart postgres on the slave I get this error message:-
LOG: database system was shut down at 2015-01-14 09:10:50 GMT 2015-01-14 09:11:01 GMT [16741-2]
LOG: entering standby mode 2015-01-14 09:11:01 GMT [16741-3] WARNING: WAL was generated with wal_level=minimal, data may be missing 2015-01-14 09:11:01 GMT [16741-4] HINT: This happens if you temporarily set wal_level=minimal without taking a new base backup. 2015-01-14 09:11:01 GMT [16741-5]
FATAL: hot standby is not possible because wal_level was not set to "hot_standby" on the master server 2015-01-14 09:11:01 GMT [16741-6] HINT: Either set wal_level to "hot_standby" on the master, or turn off hot_standby here. 2015-01-14 09:11:01 GMT [16740-1]
LOG: startup process (PID 16741) exited with exit code 1 2015-01-14 09:11:01 GMT [16740-2] LOG: aborting startup due to startup process failure ... failed!
Why is this happening? I have checked and rechecked that on the master wal_level is set to hot_standby. On the master running "show all" shows that this is the case? I am at a loss as to what I am doing wrong here.
You have to restart primary database again to let the current WAL file replayed on the standby, since this WAL file was generated when wal_level=archive.

postgres: localhost not connecting

My postgreSQL.conf looks like
# - Connection Settings -
listen_addresses = '*' # what IP address(es) to listen on;
# comma-separated list of addresses;
# defaults to 'localhost', '*' = all
# (change requires restart)
port = 5432 # (change requires restart)
and I also know that postgres is running
air:data postgres$ ps -aef | grep postgres
504 16474 16473 0 11:34AM ?? 0:00.00 postgres: logger process
504 16476 16473 0 11:34AM ?? 0:00.00 postgres: writer process
504 16477 16473 0 11:34AM ?? 0:00.00 postgres: wal writer process
504 16478 16473 0 11:34AM ?? 0:00.00 postgres: autovacuum launcher process
504 16479 16473 0 11:34AM ?? 0:00.00 postgres: stats collector process
0 16087 16078 0 10:54AM ttys001 0:00.03 su - postgres
504 16473 1 0 11:34AM ttys001 0:00.22 /Library/PostgreSQL/9.1/bin/postgres -D/Library/PostgreSQL/9.1/data
504 16484 16088 0 11:34AM ttys001 0:00.00 grep postgres
But I am not able to connect
psql -Uuser -W
Password for user user:
psql: could not connect to server: No such file or directory
Is the server running locally and accepting
connections on Unix domain socket "/var/pgsql_socket/.s.PGSQL.5432"?
Also, when I run the following
lsof -i tcp:5432
✘ me#air11:37:13 ⮀ ~ ⮀ netstat -a | grep postgres
tcp6 0 0 *.postgres *.* LISTEN
tcp4 0 0 *.postgresql *.* LISTEN
It says nothing running on port 5432
What am I missing?
UPDATE
My pg_hba.conf looks like
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all md5
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
In pg_hba.conf:
host all all 127.0.0.1/32 trust
last column change to trust
You need to use the psql program that comes that the PostgreSQL package that you installed instead of the psql in the /usr/bin directory that is part of the Apple system.
For example, if using postgres.app, they say in their documentation:
Mac OS 10.7 ships with an older version of PostgreSQL, which can be
started with the following command:
$ psql -h localhost PostgreSQL ships with a constellation of useful
binaries, like pg_dump or pg_restore, that you will likely want to
use. Go ahead and add the /bin directory that ships with Postgres.app
to your PATH (preferably in .profile, .bashrc, .zshrc, or the like to
make sure this gets set for every Terminal session):
PATH="/Applications/Postgres.app/Contents/MacOS/bin:$PATH"
Once your
path is correctly set up, you should be able to run psql without a
host. (If not, check that the correct version is being loaded in the
PATH by doing which psql)
If using another source of pre-packaged postgresql, it's the same thing with different paths.
Not sure why this was happening, but I found postgresapp.com which is pretty good to use
I am using this with http://www.pgadmin.org/ and I am running it smoothly so far
you can try to stop service and agian start the service. once you reload the configuration file. check again while it is working or not.