First of all, question is languate-agnostic. I'm trying to write a simple application that connects to PostgreSQL using SSL.
I created certificates using scripts:
# Create CA private key
openssl genrsa -des3 -out root.key 4096
#Remove a passphrase
openssl rsa -in root.key -out root.key
# Create a root Certificate Authority (CA)
openssl \
req -new -x509 \
-days 365 \
-subj "/CN=localhost" \
-key root.key \
-out root.crt
# Create server key
openssl genrsa -des3 -out server.key 4096
#Remove a passphrase
openssl rsa -in server.key -out server.key
# Create a root certificate signing request
openssl \
req -new \
-key server.key \
-subj "/CN=localhost" \
-text \
-out server.csr
# Create server certificate
openssl \
x509 -req \
-in server.csr \
-text \
-days 365 \
-CA root.crt \
-CAkey root.key \
-CAcreateserial \
-out server.crt
I created a database using:
init.sql
CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
CREATE TABLE TESTING_DATA (
ID SERIAL PRIMARY KEY,
UUID UUID UNIQUE NOT NULL DEFAULT uuid_generate_v4(),
NAME TEXT NOT NULL,
INFO NUMERIC(3, 2)
);
INSERT INTO TESTING_DATA (NAME, INFO)
VALUES
('Notebook', 1),
('Office supplies', 2),
('Pencil', 2),
('Office supplies', 1),
('Eraser', 1),
('Coffee', 1),
('Cookies', 2),
('Puzzles', 5)
;
postgresql.conf
ssl = on
ssl_ca_file = '/etc/postgres/security/root.crt'
ssl_cert_file = '/etc/postgres/security/server.crt'
ssl_key_file = '/etc/postgres/security/server.key'
password_encryption = scram-sha-256
pg_hba.conf
local all all md5
host all all 127.0.0.1/32 md5
hostssl all all 0.0.0.0/0 cert clientcert=1
Dockerfile
FROM postgres:12-alpine
ENV POSTGRES_USER=pguser
ENV POSTGRES_PASSWORD=pgpassword
ENV POSTGRES_DB=securitylearning
COPY pg_hba.conf postgresql.conf /etc/postgresql/config/
COPY --chown=postgres:postgres root.crt server.crt server.key /etc/postgres/security/
COPY init.sql /docker-entrypoint-initdb.d/
EXPOSE 5432
CMD ["postgres", "-c", "config_file=/etc/postgresql/config/postgresql.conf", "-c", "hba_file=/etc/postgresql/config/pg_hba.conf"]
I launched a container, I ensured that from the container itself I can connect to database and select something from the table.
I created a simple program:
server.go
package main
import (
"database/sql"
"fmt"
_ "github.com/lib/pq"
)
func main() {
connection := fmt.Sprint(
" host=localhost",
" port=5432",
" user=pguser",
" dbname=securitylearning",
" sslmode=verify-full",
" sslrootcert=root.crt",
" sslkey=client.key",
" sslcert=client.crt",
)
db, err := sql.Open("postgres", connection)
defer db.Close()
if err != nil {
panic(err)
}
err = db.Ping()
if err != nil {
panic(err)
}
row := db.QueryRow("SELECT * FROM TESTING_DATA")
fmt.Println(row)
}
I tried to:
place files root.crt, server.crt, server.key next to the compiled binary and add to the connection string in go file sslrootcert, sslcert, sslkey respectively
place same files, but with names root.crt, postgresql.crt, postgresql.key in ~/.postgresql/ directory, because pq uses them by default.
For now, it's not working. I randomly get one of those two errors:
read: connection reset by peer
or
EOF
Could you please help? What am I missing here? Or could you point me to some resources? Thanks in advance.
Update 1
Thanks to suggestion in comments, I created client key and certificate, using
# Create client key
openssl genrsa -out client.key 4096
#Remove a passphrase
openssl rsa -in client.key -out client.key
# Create client certificate signing request
openssl \
req -new \
-key client.key \
-subj "/CN=172.17.0.2" \
-out client.csr
# Create client certificate
openssl \
x509 -req \
-in client.csr \
-CA root.crt \
-CAkey root.key \
-CAcreateserial \
-days 365 \
-text \
-out client.crt
I'm using 172.17.0.2 in CN, because it's host IP from docker container's perspective.
I've tried both:
using following keys in connection string from program
" sslrootcert=root.crt",
" sslkey=client.key",
" sslcert=client.crt",
copying root.crt, client.key, client.srt to ~/.postgresql/, trying psql with
psql "host=localhost port=5432 user=pguser dbname=securitylearning sslmode=verify-full sslrootcert=root.crt sslkey=client.key sslcert=client.crt"
or without password.
Both ways still fail to connect. In psql case I get error
psql: server closed the connection unexpectedly This probably means the server terminated abnormally before or while processing the request.
Thanks to suggestions in comments I managed to solve it.
First of all, as suggested, I stepped back and tried to proceed with smaller steps. Such as, securely connect with psql from host.
Mistake 1
I forgot to add the following property to postgresql.conf
listen_addresses = '*'
The documentation says:
If the list is empty, the server does not listen on any IP interface at all, in which case only Unix-domain sockets can be used to connect to it.
Mistake 2
I fell into a little misconception with certificates and their common names (CN). The following points should be applied to scripts that create certificates. In short:
CN for CA can be anything as long as it is different from the server's
CN. See this question and answer for details
CN for server must be IP/hostname by which we will call server from client (here it's localhost. But if the database would be located at
cooldatabase.com <- this would be server's CN)
CN for client must be username by which we will connect (here, it's
pguser)
When I fixed these two issues - I managed to connect via both psql and go program! Also, the default postgresql.conf is very informative!
I am using Kong 10.x with datastore postgresql 9.6.
I want to establish ssl connection between kong and it's datastore postgresql.
But I get the following errors:
Postgresql Error:
LOG: could not accept SSL connection: tlsv1 alert unknown ca
Error from kong:
/usr/local/share/lua/5.1/kong/cmd/migrations.lua:34: [postgres error] could not retrieve current migrations: [postgres error] connection refused
Below are my Kong and Postgresql Configurations:
Kong:
# Kong configuration file
# DATASTORE
database = postgres
pg_host = 10.0.1.191
pg_port = 5432
pg_user = kong
pg_password = kong
pg_database = kong
pg_ssl = on
pg_ssl_verify = on
# DEVELOPMENT & MISCELLANEOUS
lua_ssl_trusted_certificate = /opt/postgres_ssl/postgresql.crt # Absolute path to the certificate
Postgresql:
pg_hba.conf:
hostssl all all 10.0.1.191/32 md5 clientcert=1
postgresql.conf:
listen_addresses = '10.0.1.191'
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'
ssl_ca_file = 'root.crt'
Certificate Generation Procedure:
openssl genrsa -passout pass:mypass -des3 -out server.key 1024
openssl rsa -passin pass:mypass -in server.key -out server.key
chmod 400 server.key
openssl req -new -key server.key -days 3650 -out server.crt -x509 -subj '/C=IN/ST=Maharastra/L=Mumbai/O=Development/CN=10.0.1.191'
cp server.crt root.crt
openssl genrsa -passout pass:iotadmin -des3 -out postgresql.key 1024
openssl rsa -in postgresql.key -out postgresql.key -passin pass:mypass
openssl req -new -key postgresql.key -days 3650 -out postgresql.csr -subj '/C=IN/ST=Maharastra/L=Mumbai/O=Development/CN=kong'
openssl x509 -req -in postgresql.csr -CA root.crt -CAkey server.key -out postgresql.crt -CAcreateserial
The error message says that Kong doesn't trust the CA which signed the certificate of the database. This doesn't surprise much, because it only knows the latter, but not the certificate of the CA.
Try using the root certificate for your lua_ssl_trusted_certificate config entry and it should work:
lua_ssl_trusted_certificate = /path/to/your/root.crt
I have hosted git repository on Apache Http server and I have used Basic Authentication and git (git-http-backend.exe).
I can clone, pull, push using command promt by providing username and password but
When,
I tried to clone through eclipse (mars.1) is showing
401 Unauthorized
Below is my httpd.conf
SetEnv GIT_PROJECT_ROOT C:/Repositories
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER
ScriptAliasMatch \
"(?x)^/(.*/(HEAD | \
info/refs | \
objects/(info/[^/]+ | \
[0-9a-f]{2}/[0-9a-f]{38} | \
pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
git-(upload|receive)-pack))$" \
"C:/Program Files/Git/mingw64/libexec/git-core/git-http-backend.exe/$1"
# Authentication
<LocationMatch "^/.*/git-receive-pack$">
Options +ExecCGI
#Options +Indexes +FollowSymLinks +ExecCGI
AuthType Basic
AuthName "Git Login"
AuthUserFile "C:/Apache24/bin/gituserpass.git"
Require user ensys
Require valid-user
</LocationMatch>
<LocationMatch "^/.*/git-upload-pack$">
Options +ExecCGI
#Options +Indexes +FollowSymLinks +ExecCGI
AuthType Basic
AuthName "Git Login"
AuthUserFile "C:/Apache24/bin/gituserpass.git"
Require user ensys
</LocationMatch>
<Directory />
Require all granted
</Directory>
It is a bug that has beend adressed here. Basically, the private git servers got broken following an update on Git that made it do a pre-verification of credentials (using stored or en-cache passwords). The password then gets modified/removed, and the final server (your git server in your case) throws a 401.
I would like to use svn server to share source code in a repository among computers on a home network. I have svnserver and openssl installed on the computer with the repository. Can someone give me step by step instructions on generating a certificate, incorporating into svnserver, putting the certificate on the other computers, and accessing the repository from eclipse.
The computers are running versions of windows.
I'm following the steps at
http://community.spiceworks.com/how_to/show/1469-how-to-become-your-own-certificate-authority-and-secure-spiceworks
and have put the following commands into a script file for cygwin
# Generate CA root certificate
openssl req -new -x509 -extensions v3_ca \
-keyout cakey.pem -out cacert.pem -days 3650
# Move to /etc/ssl
mv cakey.pem /etc/ssl/private
mv cacert.pem /etc/ssl/certs.
# Generate Secure and Insecure Keys
openssl genrsa -des3 -out server.key 2048
openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key
At this point, I think I copy the contents of server.key and server.key.insecure into the file
C:\Program Files (x86)\VisualSVN Server\certs\server.pem
but, I'm not sure about that. Also, what file do I copy to the other computers and how to connect eclipse to the repository.
Also, is there an easier way to do this besides using svnserver, since all the machines are on the same home network, and they are running versions of windows?
I know there are a few questions related to this topic on the Internet but I just still cannot solve the problem after digging them out.
On the server side, I have a repository located at: /opt/gitrepo/kindtest.git, and in /etc/apache2/conf.d/git, I wrote:
Alias /gitrepo /opt/gitrepo
SetEnv GIT_PROJECT_ROOT /opt/gitrepo/
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER
ScriptAliasMatch \
"(?x)^/gitrepo/(.*/(HEAD | \
info/refs | \
objects/(info/[^/]+ | \
[0-9a-f]{2}/[0-9a-f]{38} | \
pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
git-(upload|receive)-pack))$" \
"/usr/lib/git-core/git-http-backend/$1"
<Location /gitrepo>
Options +Indexes +FollowSymLinks +ExecCGI
#AuthType Basic
#AuthName "git repository"
#AuthUserFile /var/git/.htpasswd
</Location>
After restarted apache, I could view my git repositories in a browser by http:///gitrepo/.
However when I tried to use eclipse to do a http push to http:///gitrepo/kindtest.git, I always got an error saying remote does not support smart http push.
Extra info: I have also had gitweb enabled by /etc/apache2/conf.d/gitweb:
Alias /gitweb /usr/share/gitweb
<Directory /usr/share/gitweb>
Options FollowSymLinks +ExecCGI
AddHandler cgi-script .cgi
AuthType Basic
AuthName "Gitweb"
AuthUserFile /home/.htpasswd
Require valid-user
</Directory>
Server side: git version 1.7.9.5, and in kindtest.git/config:
[core]
repositoryformatversion = 0
filemode = true
bare = true
[http]
getanyfile = true
uploadpack = true
receivepack = true
Client side: eclipse with egit
Is there anything I have missed?
I finally figured this out, it was git-http-backend that wasn't functioning so smart http was alwasy disabled. I removed the line "Alias /gitrepo /opt/gitrepo" which overlaps the second ScriptAlias. Now I can use egit to push source to remote server.