I'm receiving the following error when connecting to an AWS Postgres database that requires SSL. I recently upgraded from npgsql 2.3.2 (which was buggy) to 3.0.3 which won't connect. Any suggestions would be appreciated.
DataSource.Error: TlsClientStream.ClientAlertException:
CertificateUnknown: Server certificate was not accepted. Chain status:
A certificate chain could not be built to a trusted root authority. .
at TlsClientStream.TlsClientStream.ParseCertificateMessage(Byte[] buf,
Int32& pos) at
TlsClientStream.TlsClientStream.TraverseHandshakeMessages() at
TlsClientStream.TlsClientStream.GetInitialHandshakeMessages(Boolean
allowApplicationData) at
TlsClientStream.TlsClientStream.PerformInitialHandshake(String
hostName, X509CertificateCollection clientCertificates,
RemoteCertificateValidationCallback
remoteCertificateValidationCallback, Boolean
checkCertificateRevocation) Details:
DataSourceKind=PostgreSQL
I was able to fix the issue by installing the Amazon RDS public certificate on my machine. Once I did this, I was able to connect.
Steps I followed:
Download the AWS RDS public certificate 1
Create a .crt file from the .pem file downloaded. Sample instructions
here 2
Install the certificate (.crt file) on the machine. 3
Connect!
The docs from npgsql give the solution as changing the default trust server certificate of 'false' to 'true' in the connection string.
Unfortunately, neither Excel (AFAIK) nor Power BI will allow you to edit the connection string. So if you are unable to get the SSL certificate from the DB admin (as suggested in another answer), or the SSL cert has a different server name to the name you connect to (in my case an IP address), there is not much that can be done.
I can see two ways of fixing this. Either Shay & co from npgsql (who are doing an excellent job btw) provide some way for users to change the default settings for the connection string parameters. Or Microsoft allows users to send keywords in the connection dialog of Power BI (and Excel).
Npgsql 2.x didn’t perform validation on the server’s certificate by default, so self-signed certificate were accepted. The new default is to perform validation, which is probably why your connection is failing. Specify the Trust Server Certificate connection string parameter to get back previous behavior.
You can read more on the Npgsql security doc page, note also that this change is mentioned in our migration notes.
I had the same issue connecting PowerBI to a locally hosted PostgreSQL server and it turned out to be easy to solve if you can get the right information. Recent Npgsql versions will only connect over SSL if it trusts the certificate of the server. As a Windows application PowerBI uses the windows certificate store to decide what to trust. If you can get the SSL cert for the PostgreSQL server (or the CA cert used to sign that one) then tell Windows to trust that certificate, PowerBI will trust it too.
In the configuration folder for the PostgreSQL server there is a postgresql.conf file, search it for ssl settings, there is one with the location of the ssl cert. Note NOT the key file which contains the private key, only the cert file which contains the public key. copy it or its content to the machine running PowerBI and import using Run | mmc | Add Plugin... Certificates (Google it)
Look at the server name once you imported the cert and connect from PowerBI using the same server name (so the cert matches the connection). That solved the problem for me. If PostgreSQL is configured to insist on a SSL connection you might have to do the same for a ODBC connection too.
Its not best way but worked for me since if u dont need encryption for security reason.
Go to Postgres config file on your DB server and go from
ssl = true
to
ssl = false
Then open your power bi desktop File-> Options and settings -> Data source settings -> then in global you will have saved your connection press Edit Permissions and uncheck "ENCRYPT CONNECTIONS"
Then it will work
WARNING: THIS IS NOT RECOMMENDED IF YOUR DB IS OPEN TO PUBLIC.
Regards,
Davlik
Related
I am creating a Linked Service to connect to BigQuery with Service Account authentication and p12 file has already been placed in IR VM directory.
Receiving following error:
ERROR [HY000] [Microsoft][DriverSupport] (1160) Cannot enable SSL for the connection when connecting to a server that has not enabled SSL. If the server has SSL enabled, please check if it has been configured to use a SSL protocol version that is lower than what is allowed for the connection. The minimum SSL protocol version allowed for the connection is: TLS 1.2.
But when i place p12 file in another IR VM, linked service is working correctly.
Tried to check TLS version in both VM's and everything looks same.
Please suggest ways to check SSL and TLS version in VM's and how to resolve this issue.
Based on the error message it seems the issue might be w.r.t SSL certificate so 1st step would be to compare the SSL/TLS across both the servers
In case if they are same, would suggest to monitor the traffic across both the server when trying to access GCP Big Query.
You might get the exact cause of failure which can be like :
Firewall blockage
some missing set up like Big query need Google_base set up as a signature
etc.
You could create a PowerShell script that checks the TLS & SSL registry entries mentioned in the following documentation:
https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
Even if after enabling TLS/SSL settings the same issue arises then please try re-installing IR in the VM
we are running a Windows Server 2019 with PostgreSQL. I want to use SSL so the connection between our database and another server within the domain is secure.
I configured the postgresql.conf and pg_hba.conf and provided a .cert and .key file (postgresql.conf) and the ip adress for the hostssl in the pg_hba.conf.
The other server finds the configuration and also the certificate - if the SSL seetibgs are set to "require".
When I change it to "ca" or "full" I get an error message that the certificate cant be found or is not valid.
My question(s):
Do I need to provide a CA File aswell? I have a RootCA2015 file - is it that one? Do I maybe need to name it "root.crt" specifically? Can it be at any place as long I configure the path or does it need to be in a specific path?
What else could be a reason a certificate is not valid in that case? Initially I got a .cer file which I converted to a .crt file with openssl.
Is it possible to use the Trust Store of the OS directly? The certificates are installed but the other server cant find them...
I have 2 aws accounts having their own RDS instances(not publicly accessible) with db engine as postgresql 12.5. I downloaded RDS certificate from "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem".
I am using JDBC(postgresql driver) with properties ssl=true and sslrootcert="path to above certificate" to establish secure connections.
My questions:
This certificate is same for both aws accounts which have different names, so how does it work , Does ssl hand shake verifies that client(jdbc connection) is talking to rds.amazonaws.com or the actual RDS instance which has separate name ?
RDS certificates are replaced every 5 years, i.e. applications also have to update the certificate every 5 years or sooner than that once new certificate is available from RDS, is this correct ?
Q1.
Yes, its same for all accounts. You can download it from docs here. Its about the instances as explained in the docs:
Using a server certificate provides an extra layer of security by validating that the connection is being made to an Amazon RDS DB instance.
Q2.
You can update before actual expiration few months before. Last year it happened as explained here:
The server's certificates are each different. Each server sends its own cert when you ask to establish a SSL connection to it. The thing you download is the cert for the authority which signs each of the server certs. You (Or your JDBC) use it to verify that the per-server certs are genuine.
I want to use my postgresql db from digital ocean in my webpage. Before i create this db, i have a free one for test and is working fine, but this new its not working.
I can connect from pgadmin to the db without problem.
My web project is a net core 2.1.
My connection strings
(1) From my test db (working):
optionsBuilder.UseNpgsql( "Server=my-server;Port=5432;Database=mydb; User Id=myuser;Password=mypsw;");
(2) From digital ocean db (not working):
optionsBuilder.UseNpgsql("Server=myserver;Port=25060;Database=defaultdb; User Id=doadmin;Password=mypsw;SslMode=Require");
If i use the (1) connection it works perfect, but when i change to (2) connection throw me the error message.
This is the error message:
“The remote certificate is invalid according to the validation procedure.”
My web its certificated with Let’s Encrypt, certbot.
Tell me if you need more info.
I found the solution, my problem was the ssl certificate, letsencrypt its a self-signed certificate and with sslmode=require, the connection fail.
So you have to add this parameter Trust Server Certificate=true.
optionsBuilder.UseNpgsql("Server=myserver;Port=25060;Database=defaultdb; User Id=doadmin;Password=mypsw;SslMode=Require;Trust Server Certificate=true");
Source: https://www.npgsql.org/doc/security.html#encryption-ssltls
I am trying to configure SSL communication for PostgreSQL.
I have a self-signed cerificate and I am following these instructions as specified in URL "http://www.postgresql.org/docs/9.2/static/ssl-tcp.html".
When I configure SSL with a self signed certificate, as per the documentation the server will prompt for a (private key's password) password when it start-up.
My PostgreSQL is installed as a windows service.So, I want my service to start without any user intervention. Is there a way to configure private key password so that my database service starts up normally.
This would be a bad idea even if it were possible. You get very little additional security by putting both the key and the passphrase where the server process can see it. This adds a false sense of security and a greater chance of bad things happening.
If your tool won't give you a passphraseless key, use a different tool.