Open tino opened 6 years ago
Is this using TLS 1.2?
I really don't know. From what I read psql (client and server) find the highest supported version by both. But it's fabio that takes care of the TLS, I haven't set up anything in the postgres server config.
Any suggestion on things to check?
You can try the handshake with openssl s_client -connect geodb.myserver.nl:5432
and see whether that works. If you are on a Mac you might need to install a newer version with homebrew and use /usr/local/opt/openssl/bin/openssl
since only there you have the -tls1_2
option.
Any update on this? Did you manage to get it working? We seem to have encountered similar issue.
Our Config file on Fabio, with a wildcard cert from Let´s Encrypt:
proxy.cs=cs=certstore;type=file;cert=/.acme.sh/fullchain.cer;key=/.acme.sh/example.com.key
proxy.addr=:80;proto=http,:443;cs=certstore,:4222;proto=tcp;cs=certstore
With tags in Consul, we can see that routes is being created:
+ route add nats :4222 http://10.5.10.74:4222/
+ route add nats :4222 http://10.5.10.72:4222/
+ route add nats :4222 http://10.5.10.68:4222/
Our set up looks like this:
TCP:4222 TCP:4222
+-----------+ +-------+ +------------+
|NATS Client| +-------> | Fabio | +------> |NATS Cluster|
+-----------+ +-------+ +------------+
SSL Let's Encrypt SSL Self Signed
The problem we encounter is that as soon as we enable TLS with ;cs=certstore
the client can't connect and we get the following error:
read tcp 192.168.15.102:59762-> <Fabio public ip> :4222: i/o timeout (Public IP hidden)
exit status 1
If we don't terminate SSL at Fabio we can connect to the NATS cluster via fabio
Are you running 1.5.11? TCP was broken since 1.5.8 (#524), and the symptoms you describe fit that bug.
We're running with version 1.5.7
Edit: I'm quite certain i've found the problem in our case. https://github.com/nats-io/node-nats/issues/232 Seems that the initial handshake of NATS is and has to be non-TLS
For people stumbling across this thread via Google search, the issue is that Postgres clients negotiate TLS with the server directly. The client expects a non-TLS handshake prior to upgrading so terminating TLS at a proxy like fabio won't work.
Interested to hear if someone has worked a way around this but as far as I know, it's not possible
I'm trying to proxy Postgres and have fabio terminate the TLS.
Config:
(works fine on https)
route add geodb :5432 http://10.0.0.19:5432/ opts "proto=tcp"
This doesn't work:
Fabio logs:
2018/04/16 17:15:46 [WARN]: tcp: tls: first record does not look like a TLS handshake
What to do? 😗