Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't turn on SSL for PGSQL from config during setup #557

Closed
rnalrd opened this issue May 2, 2024 · 9 comments
Closed

Can't turn on SSL for PGSQL from config during setup #557

rnalrd opened this issue May 2, 2024 · 9 comments
Labels
stargazed

Comments

@rnalrd
Copy link

rnalrd commented May 2, 2024

Trying to use SSL when connecting to PGSQL. Using command line option -database-ssl-mode=require works no problem, but using config option sslmode="require" it doesn't.

~ # cat /etc/homer/webapp_config.json | jq '.database_data, .database_config'
{
  "LocalNode": {
    "help": "Settings for PGSQL Database (data)",
    "node": "LocalNode",
    "user": "homer_user",
    "pass": "password",
    "name": "homer_data",
    "keepalive": true,
    "host": "homer-db",
    "sslmode": "require"
  }
}
{
  "help": "Settings for PGSQL Database (settings)",
  "node": "LocalConfig",
  "user": "homer_user",
  "pass": "passwod",
  "name": "homer_config",
  "keepalive": true,
  "host": "homer-db",
  "sslmode": "require"
}
~ # homer-app -create-homer-user -database-root-user=$dbuser -database-host=$dbhost -database-root-password=$dbpass -webapp-config-path=/etc/homer
 
CONNECT to DB ROOT STRING: [host=homer-db user=postgres dbname=postgres sslmode=disable port=5432 password=lesson_learned]
 
panic: pq: no pg_hba.conf entry for host "bad:beef:caffe:1016::169", user "postgres", database "postgres", no encryption

goroutine 1 [running]:
main.checkAdminFlags()
	/app/main.go:1840 +0xfe5
main.main()
	/app/main.go:225 +0xaf

~ #### turning on SSL via CLI option works
~ # homer-app -create-homer-user -database-root-user=$dbuser -database-host=$dbhost -database-root-password=$dbpass -webapp-config-path=/etc/homer  -database-ssl-mode=require
 
CONNECT to DB ROOT STRING: [host=homer-db user=postgres dbname=postgres sslmode=require port=5432 password=lesson_learned]
 
 
HOMER - creating user [user=homer_user password=homer_password] 

(/app/migration/migration.go:62) 
[2024-05-02 12:44:13]  [60.70ms]  CREATE USER "homer_user" WITH PASSWORD 'homer_password'  
[0 rows affected or returned ] 
 
DONE 
 
HOMER - show users 
	Role name	|	Attributes
------------------------------------------------
	homer_user	|		
	postgres	|	superuser, create database	
 
DONE 
~ # homer-app -version
VERSION: 1.4.59
@hamidrhashmi
Copy link

Hi @rnalrd

Please try using usessl

{
  "LocalNode": {
    "help": "Settings for PGSQL Database (data)",
    "node": "LocalNode",
    "user": "homer_user",
    "pass": "password",
    "name": "homer_data",
    "keepalive": true,
    "host": "homer-db",
    "usessl": true
  }
}

check this.

@rnalrd
Copy link
Author

rnalrd commented May 3, 2024
edited
Loading

Same problem with "usessl"

~ # cat /etc/homer/webapp_config.json | jq '.database_data, .database_config'
{
  "LocalNode": {
    "help": "Settings for PGSQL Database (data)",
    "node": "LocalNode",
    "user": "homer_user",
    "pass": "password",
    "name": "homer_data",
    "keepalive": true,
    "host": "homer-db",
    "usessl": true
  }
}
{
  "help": "Settings for PGSQL Database (settings)",
  "node": "LocalConfig",
  "user": "homer_user",
  "pass": "password",
  "name": "homer_config",
  "keepalive": true,
  "host": "homer-db",
  "usessl": true
}
~ # homer-app -create-homer-user -database-root-user=$dbuser -database-host=$dbhost -database-root-password=$dbpass -webapp-config-path=/etc/homer
 
CONNECT to DB ROOT STRING: [host=homer-db user=postgres dbname=postgres sslmode=disable port=5432 password=password]
 
panic: pq: no pg_hba.conf entry for host "bad:beef:cafe:1016::169", user "postgres", database "postgres", no encryption

goroutine 1 [running]:
main.checkAdminFlags()
	/app/main.go:1840 +0xfe5
main.main()
	/app/main.go:225 +0xaf

@hamidrhashmi
Copy link

I have tested with version 1.4.59 and with param "usessl=true" it prints log line

{"level":"info","msg":"Connecting to [127.0.0.1, homer_user, homer_data, LocalNode, 0, ssl: require]\n","time":"2024-05-06T04:37:10-05:00"}

while with "usessl=false" it prints

{"level":"info","msg":"Connecting to [127.0.0.1, homer_user, homer_data, LocalNode, 0, ssl: disable]\n","time":"2024-05-06T04:35:33-05:00"}

and it is working in both scenarios. try enabling debug log in webapp config and share homer-app logs.

@rnalrd
Copy link
Author

rnalrd commented May 8, 2024 

homer:~# cat /etc/homer/webapp_config.json | jq '.database_data, .database_config, .system_settings'
{
  "LocalNode": {
    "help": "Settings for PGSQL Database (data)",
    "node": "LocalNode",
    "user": "homer_user",
    "pass": "password",
    "name": "homer_data",
    "keepalive": true,
    "host": "homer-db",
    "usessl": true
  }
}
{
  "help": "Settings for PGSQL Database (settings)",
  "node": "LocalConfig",
  "user": "homer_user",
  "pass": "password",
  "name": "homer_config",
  "keepalive": true,
  "host": "homer-db",
  "usessl": true
}
{
  "help": "Settings for HOMER logs",
  "logpath": "/var/log/homer",
  "logname": "homer-app.log",
  "_loglevels": "can be: fatal, error, warn, info, debug, trace",
  "loglevel": "debug",
  "logstdout": true
}
homer:~# homer-app -create-homer-user -database-root-user=$dbuser -database-host=$dbhost -database-root-password=$dbpass -webapp-config-path=/etc/homer
{"level":"info","msg":"init logging system","time":"2024-05-08T06:35:22Z"}
 
CONNECT to DB ROOT STRING: [host=homer-db user=postgres dbname=postgres sslmode=disable port=5432 password=password]
 
{"level":"error","msg":"pq: no pg_hba.conf entry for host \"dead:beef::1016::169\", user \"postgres\", database \"postgres\", no encryption","time":"2024-05-08T06:35:22Z"}
{"level":"error","msg":"Couldn't establish connection. Please be sure you can have correct passwordpq: no pg_hba.conf entry for host \"dead:beef::1016::169\", user \"postgres\", database \"postgres\", no encryption","time":"2024-05-08T06:35:22Z"}
{"level":"error","msg":"Try run: sudo -u postgres psql -c \"ALTER USER postgres PASSWORD 'postgres';\"","time":"2024-05-08T06:35:22Z"}
panic: pq: no pg_hba.conf entry for host "dead:beef::1016::169", user "postgres", database "postgres", no encryption

goroutine 1 [running]:
main.checkAdminFlags()
	/app/main.go:1840 +0xfe5
main.main()
	/app/main.go:225 +0xaf

Adding -database-ssl-mode=require everything works as it should:

homer:~# homer-app -create-homer-user -database-root-user=$dbuser -database-host=$dbhost -database-root-password=$dbpass -database-ssl-mode=require -webapp-config-path=/etc/homer
{"level":"info","msg":"init logging system","time":"2024-05-08T06:36:04Z"}
 
CONNECT to DB ROOT STRING: [host=homer-db user=postgres dbname=postgres sslmode=require port=5432 password=password]
 
{"level":"debug","msg":"----------------------------------- ","time":"2024-05-08T06:36:04Z"}
{"level":"debug","msg":"*** Database Data Root Session created *** ","time":"2024-05-08T06:36:04Z"}
{"level":"debug","msg":"----------------------------------- ","time":"2024-05-08T06:36:04Z"}
 
HOMER - creating user [user=homer_user password=homer_password] 

(/app/migration/migration.go:62) 
[2024-05-08 06:36:04]  pq: role "homer_user" already exists 

(/app/migration/migration.go:62) 
[2024-05-08 06:36:04]  [0.72ms]  CREATE USER "homer_user" WITH PASSWORD 'homer_password'  
[0 rows affected or returned ] 
 
DONE 
 
HOMER - show users 
	Role name	|	Attributes
------------------------------------------------
	health_check	|		
	homer_user	|		
	postgres	|	superuser, create database	
	replication	|		
	sr_check_user	|		
 
DONE

@hamidrhashmi
Copy link

I followed this blog to configure SSL on Postgres. May you have to follow Step 6 to resolve no pg_hba.conf entry for host.

@rnalrd
Copy link
Author

rnalrd commented May 8, 2024

my pg_hba.conf does not allow non-SSL connections, that is why there's the error with "no encryption":

{"level":"error","msg":"pq: no pg_hba.conf entry for host \"dead:beef::1016::169\", user \"postgres\", database \"postgres\", no encryption","time":"2024-05-08T06:35:22Z"}
{"level":"error","msg":"Couldn't establish connection. Please be sure you can have correct passwordpq: no pg_hba.conf entry for host \"dead:beef::1016::169\", user \"postgres\", database \"postgres\", no encryption","time":"2024-05-08T06:35:22Z"}

When I add the CLI option -database-ssl-mode=require the connection is accepted. The problem is that "usessl: true" in config does not do its job, I need to specify via CLI that I want an SSL connection.

@adubovikov
Copy link
Member

we can add the custom fields

@adubovikov
Copy link
Member

9e5c7b8

please test it, you can specify any params inside

@adubovikov
Copy link
Member

closed as resolved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stargazed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rnalrd @adubovikov @hamidrhashmi