Open MacSlow opened 1 year ago
ellie
commented
1 year ago Hey!
Are you connecting to your postgres over the public internet? Do you have SSL certificates configured on your database server?
If not, try adding ?sslmode=disable to the end of your postgres connection string.
ellie
commented
1 year ago also - nice supermoto!
MacSlow
commented
1 year ago First of all... yeah, the Husky is the best... with my Hypermotard being a close second! :)
I added that suggested snipped to the db_uri-entry. That at least changed to error reported from atuin to:
thread 'main' panicked at 'error binding to 127.0.0.1:5432: error creating server listener: Address already in use (os error 98)', /home/runner/.cargo/registry/src/github.com-1ecc6299db9ec823/hyper-0.14.20/src/server/server.rs:77:13
Then I changed the port to use 8888 and I got rid of the above error, but there is no response from atuin server start. Should it return to the shell prompt or do I have to detach it manually from the current shell-process?
Trying to connect from the client-side with atuin I get this:
1> atuin login
Please enter username: macslow (this is the database-user I created in PostgreSQL)
Please enter encryption key: <put the stuff here I get from 'atuin key'>
Please enter password: <put the corresponding password for the database-user here>
Error: error decoding response body: expected value at line 1 column 1
Caused by:
expected value at line 1 column 1
Location:
/home/runner/work/atuin/atuin/atuin-client/src/api_client.rs:82:21Sorry, if I might be missing something obvious... can you tell I hate database-stuff? :)
MacSlow
commented
1 year ago Should I figure it out, I'll promise to write a summary on my blog for future reference. All this started with writing an output-rotation patch, mouse-selection cut&paste and some bug-fixes for kmscon. The rabbit-hole always goes deeper than you initially anticipate :)
MacSlow
commented
1 year ago In the meantime I have figured out how to setup PostgreSQL to use my "Let's Encrypt"-certificate, which I use for my web-server.
To verify the basic operation of the working certificat I used the command:
openssl s_client -starttls postgres -connect macslow.org:5432 </dev/null
which generates the ouput:
CONNECTED(00000003)
---
Certificate chain
0 s:CN = macslow.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLTCCBBWgAwIBAgISA7fdx63SblaICJ+NLGKTSlx4MA0GCSqGSIb3DQEBCwUA
... bla bla bla and so on ...
58G4smTZiKYMamPkLVujqaYpMaHshix4SskffQ60DCbb
-----END CERTIFICATE-----
subject=CN = macslow.org
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4708 bytes and written 727 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---Local and remote connections to PostgreSQL are now using the proper SSL-certificate, if I can believe this select-statement I issued on my server hosting the PostgreSQL-database (using the psql frontend):
postgres=# select ssl.pid, usename, datname, ssl, ssl.version, ssl.cipher, ssl.bits, ssl.compression, client_addr from pg_catalog.pg_stat_ssl ssl, pg_catalog.pg_stat_activity activity where ssl.pid = activity.pid and client_addr is not null;
pid | usename | datname | ssl | version | cipher | bits | compression | client_addr
-------+----------+----------+-----+---------+------------------------+------+-------------+---------------
36892 | postgres | postgres | t | TLSv1.3 | TLS_AES_256_GCM_SHA384 | 256 | f | 127.0.0.1
36909 | macslow | atuin | t | TLSv1.3 | TLS_AES_256_GCM_SHA384 | 256 | f | 91.57.254.111Again, with all that in place executing atuin server start on the PostgreSQL-server machine still does not seem to work. It does not return to the shell-promt, I don't see anything in the PostgreSQL-log and also nothing shows up in the select-statement about an additional connection.
I guess the ball in back in atuin-land to figure out what's still wrong or missing.
Greetings folks!
Have to embarrass myself here admitting, that I cannot successfully setup an atuin sync server on my own.
When starting
atuin server starton my sever machine, I see this in/var/log/postgresql/postgresql-12-main.log(with verbose error-logging enabled):And atuin spits out this on stdout:
The version of atuin used is
atuin_12.0.0_amd64.debprovided by the install.sh script listed in the installation documentation. According to the conversation and remarks from ellie and conradludgate in issue https://github.com/ellie/atuin/issues/570, release 12 of atuin has this fix regardingrustls-tls-native-roots. So my guess is, that the error I see is something new.What irritates me is this
[unknown]@[unknown]in the PostgreSQL-log. I would assume to see the credentials there I stated in~/.config/atuin/server.toml. That file on the server currently looks like this (and no, that not my real password... don't worry :):I can successfully connect remotely to PostgreSQL using the
psqlfrontend using a dedicated database-user, thus configuration-wise I guess everything is fine on the PostgreSQL-side of things. This is what I see when I usepsqlfrom a remote client machine:The same success I have, when I do locally on the server:
It all boils down to what is happening in lines 22-24 in
<atuin_root>/atuin-server/src/lib.rs, but I really cannot dig into a new language right now to sort it out. Not that rust isn't compelling.Thanks in advance for your help and advice!
Best regards...
MacSlow