I would like to connect to my Postgres 8.3 database using SSL from my XP client using OpenSSL. This works fine without SSL. When I try it with SSL (no client certificate), I get the error:
error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure
I suspect that I need to change something with the Postgres configuration but I don't know what. I have followed the instructions in the Postgres manual for SSL including creating a self-signed certificate. In my pg_hba.conf there is a line:
host dbname loginname 123.45.67.89/32 md5
Is there something else I should be looking at?
This is an error inside OpenSSL. It doesn't sound like a PostgreSQL configuration problem. However, it could be an OpenSSL config problem - check if you have any non-detailt openssl.conf on the machine(s).
Also, what version of OpenSSL do you have on the server, and what OS is that? If you have a really old one, that could be the reason.
Related
Connection String:
Data Source=<server>,<port>;Initial Catalog=<database>;User Id=<username>;
Password=<password>?;MultipleActiveResultSets=true;Encrypt=True;
TrustServerCertificate=false;Integrated Security=false;Trusted_Connection=true;
Connection Timeout=30;
My connection string contains:
TrustServerCertificate=false
and I get this error:
A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)
When I have a connection string with this:
TrustServerCertificate=true
I get:
Login failed for user '<username>'. // <-- real username removed
The EF Core 7.0 breaking changes addresses this. https://learn.microsoft.com/en-us/ef/core/what-is-new/ef-core-7.0/breaking-changes
There are three ways to proceed:
Install a valid certificate on the server. Note that this is an
involved process and requires a obtaining a certificate and ensuring
it is signed by an authority trusted by the client.
If the server has a certificate, but it is not trusted by the
client, thenTrustServerCertificate=True to allow bypassing the normal
trust mechanims.
Explicitly add Encrypt=False to the connection string.
I received same error when try a "Scaffold" command into a Nuget Console. The version Of Microsoft.EntityFrameworkCore.Tools and Microsoft.EntityFrameworkCore.SQLServer was 7.0.0.
Then I downgrade this two package to the 6.0.9 version and all works fine.
I have a MariaDB server set up with self-signed certificates to connect using TLS. This works when I connect with the corresponding client
$ mysql -u xxxx -h xx.xx.xx.xx -p
\s shows:
mysql Ver 15.1 Distrib 10.1.37-MariaDB, for debian-linux-gnu (x86_64)
SSL: Cipher in use is DHE-RSA-AES256-SHA
The .my.cnf contains:
$ cat ~/.my.cnf
[client]
ssl-cert=/---path-deleted---/client-cert.pem
ssl-key=/---path-deleted---/client-key.pem
Problem: I don't manage to connect from a Perl script with these settings. Without SSL, the script works. As soon as I enable SSL in the script (and enforce it on the server), I get:
failed: SSL connection error: ASN: bad other signature confirmation
When I check the certificates with openssl, I get
$ openssl verify ca-cert.pem client-cert.pem server-cert.pem
error 18 at 0 depth lookup: self signed certificate
The certificates are indeed self-signed, and I want to keep it that way.
If I use "mariadb_ssl_verify_server_cert=0", I get
failed: SSL connection error: Enforcing SSL encryption is not supported without mariadb_ssl_verify_server_cert=1
What do I need to change to have a TLS-connection working from Perl?
I copy the lines of code I have in my connect sub for reference. A very similar code used to work on an older system with mysql (not mariadb), using just mysql_ssl=1 IIRC:
$self->{dsn} = "DBI:MariaDB:database=$database;host=$db_host;mariadb_ssl=1;".
"mariadb_ssl_verify_server_cert=1;".
"mariadb_ssl_ca_file=/---path---/ca-key.pem;".
"mariadb_ssl_client_key=/---path---/client-key.pem;".
"mariadb_ssl_client_cert=/---path---/client-cert.pem";
$self->{dbh} = DBI->connect($self->{dsn}, $db_user, $db_passwd,
{'RaiseError' => 1, 'PrintError' => 1, AutoCommit => 1});
I had a similar problem, albeit using DBI:mysql.
Issue was that I specified the IP address in the connection string rather than the servername, as specified in the SSL certificate CN. The mysql command line client didn't mind, but DBI:mysql does.
To get the CN of the certificate, I used openssl as per https://serverfault.com/a/931652/243186
I then needed to add an entry in my /etc/hosts file such that the CN matched the IP of the interface I was connecting to.
An alternate solution would have been for the MySQL server owner to have generated an SSL SAN cert specifying all possible servernames and IPs it could be connected to as.
I am trying to connect to a Postgres instance running on Google Cloud Platform using psql.
I got the certificate using:
gcloud beta sql ssl server-ca-certs list --instance=[instance-name] --format='value(cert)' > server-ca.pem
and then tried connecting using psql to the instance using:
psql "host=[ip] port=[port] user=[user] dbname=[db] sslmode=verify-ca sslrootcert=server-ca.pem"
This returns the error: SSL error: invalid padding
I have checked the certificate for valid unix endlines, changed the wrapping (making sure the whole certificate fits on one line, etc.)
Any pointers into what might be going wrong here or how to debug this are very welcome!
Creating a new server-ca certificate and rotating it solved the SSL connection issue.
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 4 years ago.
Improve this question
UPDATE
I believe I resolved this issue with this connection...
db, err := gorm.Open("postgres", "host='postgres'&user:docker&port=5432&dbname='docker'&password='password'&sslmode=disable")
I am getting a connection refused between a Docker PG container and a GoLang Scratch container. The error is:
============ exiting ==========
todo_1 | pq: SSL is not enabled on the server
todo_1 | panic: failed to connect database e
The docker-compose.yml file
The main.go file which is panicking
Complete code base with Docker files
OTHER NOTE:
I am using GORM library to connect with PG.
REQUEST:
Please look over code and give some hints on where and how to resolve this SSL issue.
You can follow the code to find the documentation on how to use the Postgres calls.
github.com/jinzhu/gorm calls
database/sql which calls
lib/pq
And lib/pq documents it's usage including:
dbname - The name of the database to connect to
user - The user to sign in as
password - The user's password
host - The host to connect to. Values that start with / are for unix domain sockets. (default is localhost)
port - The port to bind to. (default is 5432)
sslmode - Whether or not to use SSL (default is require, this is not the default for libpq)
fallback_application_name - An application_name to fall back to if one isn't provided.
connect_timeout - Maximum wait for connection, in seconds. Zero or not specified means wait indefinitely.
sslcert - Cert file location. The file must contain PEM encoded data.
sslkey - Key file location. The file must contain PEM encoded data.
sslrootcert - The location of the root certificate file. The file must contain PEM encoded data.
And:
disable - No SSL
require - Always SSL (skip verification)
verify-ca - Always SSL (verify that the certificate presented by the server was signed by a trusted CA)
verify-full - Always SSL (verify that the certification presented by the server was signed by a trusted CA and the server host name
matches the one in the certificate)
So your connect string for a database without SSL is simply:
db, err := gorm.Open("postgres", "host='postgres' port=5432 user=docker dbname='docker' password='password' sslmode=disable")
Or you could configure Postgres with an SSL key. That's less trivial, but to implement you'd need to modify the postgresql.conf file to enable the ssl settings and mount the TLS key pair as a volume, or preferably a secret with swarm mode. One of the many examples of how to do this can be found at: https://gist.github.com/likwid/86193ef581c530ea55d3
I have issue regarding SSH connection with my server. When i try to connect it results into error:"Bad authentication type(allowed_types=['publickey'])"
Thanks
You need to ensure that your private key is in openssh format. With puttygen you can export as Openssh. This worked for me.
Check your username and public key this can cause problem.
Attach the private key file with extension .ppk
Also verify your connection with putty.
Also check for the restriction on server.
FYI, my company uses a Yubikey and so the SSH part can be a bit mysterious. However, walking through a shell login with the yubikey yinit command, to ssh to IP (no password needed here), and finally to connecting mysql (still shell), I attempted to MySQL Workbench a few times with my different passwords to no avail.
Finally, I noticed the "SSH Key File" field and looked up where my .ssh file was -- /Users/myProfile/.ssh/
Set the "id_rsa.pub" file as it and voila!
Everything worked.