We have a Windows EC2 instance on which we are running a custom command line application (C# console app using NpgSQL) to connect to a PostgreSQL RDS instance. Based on the instructions here:
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts.General.SSL
we created a new DB parameter group with rds.force_ssl set to 1 and rebooted our RDS instance. We also downloaded and imported to Windows the pem file referenced on the page.
I was able to connect to the RDS instance from my Windows EC2 instance via pgAdmin by specifying SSL mode as Verify-Full. Our command-line application reads connection strings from a file and they look like this now that I've added the sslmode parameter:
Server=OurInstanceAddress;Port=5432;SearchPath='$user,public,topology';Database=OurDatabase;User Id=username;Password=mypassword;sslmode=verify-full;
Using this connection string failed with the error referenced at the bottom of the page:
FATAL: no pg_hba.conf entry for host "host.ip", user "someuser", database "postgres", SSL off
I tried adding the sslrootcert parameter, but I'm not sure if I'm dealing with it properly. I tried using the example (sslrootcert=rds-ssl-ca-cert.pem) and I tried using the name of the pem that I downloaded. I feel like there is something about the path information that I'm giving to the sslrootcert parameter that isn't right, especially in a Windows environment. I've tried using the name, I've tried using the following paths:
- sslrootcert=C:\keys\rds-combined-ca-bundle.pem - single backslash
- sslrootcert=C:\\\keys\\\rds-combined-ca-bundle.pem - double backslash
- sslrootcert=C:/keys/rds-combined-ca-bundle.pem - Linux style backslash
All of these produced the same error mentioned above.
Any insight would be appreciated.
I solved it using the environment variables instead for specifiying cert paths in connection url
-DPGSSLROOTCERT=/certs/root.crt
-DPGSSLKEY=/certs/amazon-postgresql.key
-PGSSLCERT=/certs/amazon-postgresql.crt
Although I'm in cygwin. There are some hints in the documentation when using windows here https://www.postgresql.org/docs/9.0/static/libpq-ssl.html
Related
We have a Golang app built with Gorm that connects with PostgreSQL 14 (hosted in the same machine) with an SSL mode of verify-full. The certificates were issued by ZeroSSL, and generated with the help of Acme.sh. In the PostgreSQL configuration, we have set the following certificate-related variables:
ssl = on
ssl_cert_file = '/etc/ssl/certs/our-certificate.pem'
ssl_key_file = '/etc/ssl/private/our-certificate.key'
The Golang app and the PostgreSQL server are hosted in an Ubuntu 20.04 machine.
Our Golang app depends on a bunch of environment variables for, among others, database passwords and usernames. When we pass those variables to our app directly, i.e.:
DB_HOST=dbhost DB_NAME=dbname DB_USERNAME=username DB_PASSWORD=123456789 [...] ./go-app
Everything works well.
On the other hand, we also tried exporting those variables first. Exporting the variables is done by putting the variables inside an env file first, then doing the following:
set -a
source env-file.env
set +a
The environment variables are exported now at this point, and we can echo the variables from the terminal.
Unfortunately, when our Golang app reaches the point where it would attempt to connect with the PostgreSQL server, we would get the following error message:
error="failed to connect to `host=dbhost user=username database=dbname`: failed SASL auth (FATAL: password authentication failed for user \"username\" (SQLSTATE 28P01))"
I have already logged the contents of the exported database-related environment variables to the console, and they were of the same values as the variables directly passed to the process.
Why does this happen? It's a weird behaviour for me, but I believe I am simply lacking some necessary information.
I connect to my PostgreSQL databases (which run on AWS EC2 instances) using certificate authentication (and not passwords). An example of a psql command I would use to connect to one of my databases is:
psql "host=<AWS EC2 instance> user=<db user> sslcert=<path to .crt> sslkey=<path to .key> sslrootcert=<path to .crt> sslmode=require dbname=<db name>"
I would like to be able to connect Tableau Desktop to one of my databases. The standard PostgreSQL connector does not allow me to specify which SSL certs to use (but it does have a Require SSL checkbox - which I think is for encryption not authentication).
So I have tried to use the ODBC connector. I make the following entries:
Connect Using
Driver: PostgreSQL Unicode
Connection Attributes
Server: <AWS EC2 instance>
Port: 5432
Database: <db name>
Username: <db user>
String Extras: sslcert=<path to .crt>; sslkey=<path to .key>; sslrootcert=<path to .crt>; sslmode=require
By much trial and error I think the String Extras require a semicolon as a delimiter, but I still cannot connect. I get the error message:
An error occurred while communicating with Other Databases (ODBC).
Unable to connect to the server. Check that the server is running and that you have access privileges to the requested database.
FATAL: connection requires a valid client certificate
Generic ODBC requires additional configuration. The driver and DSN (data source name) must be installed and configured to match the connection.
Unable to connect to the server "<AWS EC2 instance>" using the driver "PostgreSQL Unicode". Check that the server is running and that you have access privileges to the requested database.
I would be really grateful to hear from anyone who has connected Tableau Desktop to PostgreSQL using certificate authentication and could tell me what I’m doing wrong. Cheers!
I managed to fix this myself, and just in case there's someone out there who might be vaguely interested I'll go through the salient features:
1. Created a DSN (Data Store Name)
This made testing much easier rather than constantly retyping details into dialog boxes.
Rather than create manually I used this: http://www.odbcmanager.net/
On Mac OS I had to run it as sudo from the terminal or it wouldn't create anything.
I created a User DSN, which on my Mac have details stored in /Users/<user name>/.odbc.ini
It picked up the PostgreSQL Unicode driver that I'd previously installed. On Mac OS you might need to do brew install brew install psqlodbc and/or brew install unixodbc
Most of the configuration was specified by adding key/value pairs e.g. DBNAME <db name>
Set SSLMODE verify-ca (changed from require to make behaviour specific - psql assumes verify-ca/verify-full if SSL certs are supplied)
The cert paths are set with key Pqopt, value sslcert=<path to .crt> sslkey=<path to .key> sslrootcert=<path to .crt>. Must be lower case and only spaces between entries!
Here's what it added to my user's odbc.ini file:
[<DSN name>]
Driver = <path to driver, this was mine /usr/local/lib/psqlodbcw.so>
Description = <description>
SSLMODE = verify-ca
HOST = <host>
DBNAME = <database>
PORT = 5432
UID = <db user>
Pqopt = sslcert=<path to .crt> sslkey=<path to .key> sslrootcert=<path to .crt>
2. Tableau Desktop Connection
Select Other Database (ODBC) connector.
Select the DSN you created previously (it should be automatically picked up), it will automatically populate host, port, db and user fields, then click Sign In.
Once signed in behaviour was slightly different to the dedicated PostgreSQL connector. Tables did not appear on left-hand side initially. But they are accessible - they can all be displayed by clicking on the 'contains' radio button and searching with a blank name.
Hope this helps. Let me know if you've got any questions.
I'm attempting to connect to a Postgres database that requires the client pass the paths to client and server SSL certificates using the ODBC driver for postgres. I'm using psqlodbc v11 x86 on Windows 10. I need to have three options passed to the ODBC driver sslrootcert, sslcert, and sslkey. I know that the paths are not being passed by the odbc driver since when I connect using the following connection string where I specify the pqopts it is able to connect.
Driver={PostgreSQL UNICODE};Server=XXXX;Port=5432;Database=XXXX;Uid=XXXX;Pwd=XXX;sslmode=verify-ca;pqopt={sslrootcert=C:\\ssl\\pgSQL.ca.cert sslcert=C:\\ssl\\pgSQL.cert sslkey=C:\\ssl\\pgSQL.key}
According to the document section
Advanced Options 3/3 Dialog Box->Libpq parameters, I should be able to pass the parameters by typing the values within the braces directly into the text box. It displays the error message saying that it cannot find the certificate because it is looking in the default location and is not using the value that was provided in the Libpq text box. Am I doing something wrong? Any advise on how to connect passing client certificates would be greatly appreciated.
Answering this in case anyone else finds this useful. The problem seems to be that the Test button on the ODBC Driver doesn't take the options set in the libpq parameters into account and just uses the default settings. When I saved the ODBC connection closed the ODBC Data Source Administrator window and used the connection from a different program it was able to connect successfully.
For a system that I am using, I run into the problem pasted on the title when I try to drop a database and recreate it. More specifically, this is the exact problem that I am facing:
Couldn't drop staging_databse : #<PG::ConnectionBad: FATAL: no pg_hba.conf entry for host xxx.xx.xxxx.xxx, user "ruby", database "postgres", SSL off
I've done some research regarding this problem and it seems that the solution is simply to turn on SSL. I've consulted Postgresql Documentation on pg_hba.conf but I'm unable to find this configuration file.
I typed in locate postgresql and I noticed that there is a postgresql-client-9.2 installed on the system. From what I have determined, I won't find this pg_hba.conf file because the client doesn't have it. I've also looked for the postgresql.conf file on SSL according to the official documentation but this file is not included either.
Finally, the documentation shows me this configuration option of the pgsql 9.2 client shown below:
libpq reads the system-wide OpenSSL configuration file. By default,
this file is named openssl.cnf and is located in the directory reported by
openssl version -d. This default can be overridden by setting environment
variable OPENSSL_CONF to the name of the desired configuration file.
However, this too isn't in my system. I've run the linux find command and this file doesn't seem to be there. I've run out of leagues and I have a sneaking suspicion that I am overlooking something very simple. Is there any other leads I can go on? Thanks.
Based on this message and the rest of the context:
FATAL: no pg_hba.conf entry for host xxx.xx.xxxx.xxx, user "ruby", database "postgres", SSL off
It looks plausible that:
you're connecting to a remote PostgreSQL instance which you don't administrate because you're acting as developer, not admin.
the db management layer tries to connect to the database named postgres in order to drop another database (staging_database) . It's necessary indeed because we can't drop a database when we're connected to it (in fact, a database can't be dropped when anyone is connected to it).
the admin policy established by the remote pg_hba.conf is such that your login and IP address together are not allowed to connect to the database named postgres
These facts combined together imply that you're missing the necessary rights to drop your database, even if indirectly.
At this point you want to submit the problem to the admin responsible for that PostgreSQL server.
We have set up postgres 9.0 on our new debian 6.0 server
We want to remotely connect to this database server.
We followed the steps in the below url
http://www.ubuntugeek.com/howto-setup-database-server-with-postgresql-and-pgadmin3.html
But when restart our database it thows the foloowing error
authentication option not in name=value format: sameuser
Any advice on how to access database server remotely using pgadmin 3 would be much appreciated
According to this link, there was changed format of configuration file pg_hba.conf. Remove, please, keyword sameuser from it.