search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.24k stars 21.41k forks source link

Root CA for Hyperscale (Citus) #36072

Closed will closed 5 years ago

will commented 5 years ago

The CA(1) referenced in the documentation(2) does not work for Hyperscale Citus 1: https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem 2: https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security#applications-that-require-certificate-verification-for-ssl-connectivityDoes

~> psql "postgres://citus@aaab-c.postgres.database.azure.com:5432/citus?user=citus&sslmode=verify-ca&sslrootcert=/tmp/BaltimoreCyberTrustRoot.crt.pem" -Xtc "select now()"
psql: SSL error: certificate verify failed

~> psql "postgres://citus@aaab-c.postgres.database.azure.com:5432/citus?user=citus&sslmode=verify-full&sslrootcert=/tmp/BaltimoreCyberTrustRoot.crt.pem" -Xtc "select now()"
psql: SSL error: certificate verify failed

After some digging, I found out that the real CA used for for hyperscale Citus is at https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem

~> psql "postgres://citus@aaab-c.postgres.database.azure.com:5432/citus?user=citus&sslmode=verify-ca&sslrootcert=/tmp/DigiCertGlobalRootCA.crt.pem" -Xtc "select now()"
 2019-07-29 23:21:34.86432+00

~> psql "postgres://citus@aaab-c.postgres.database.azure.com:5432/citus?user=citus&sslmode=verify-full&sslrootcert=/tmp/DigiCertGlobalRootCA.crt.pem" -Xtc "select now()"
 2019-07-29 23:19:29.797887+00

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

will commented 5 years ago

It also looks like the integration from the docs to github issues unnecessarily transforms > to html entities. My prompt looks like ~> not ~gt;.

will commented 5 years ago

The title of this page does include "single server" but it's the only thing that comes up when you search for ssl and postgres.

rachel-msft commented 5 years ago

@will, Hyperscale (Citus) doesn't yet have a documentation page for SSL. More documentation will be added over the next few months.

will commented 5 years ago

Ok, I'll close this issue here and mention you on the visualstuido.com issue just to keep it all together, but feel free to ignore the other one if you're not the right person.