sosedoff / pgweb

Cross-platform client for PostgreSQL databases
https://sosedoff.github.io/pgweb
MIT License
8.63k stars 732 forks source link

Specify CA/Client certs for verify-full mode #228

Closed johicks closed 7 years ago

johicks commented 7 years ago

I need to connect to a postgresql server that requires client certs and uses a root cert signed by a custom CA.

As an example, in Python, psycopg2 connection string allows me to specify all my certs: sslcert='/a/secrets/app/ssl_cert/ssl_cert.certificate' sslkey='/a/secrets/app/ssl_cert/ssl_cert.private_key' sslrootcert='/a/secrets/app/ssl_cert/ssl_cert.chain_cert'

Is there a way to do this in pgweb?

sosedoff commented 7 years ago

Hi, while i havent personally tested the SSL cert stuff with pgweb, you might try adding required ssl paths to the postgresql connection string. See docs for more details.

sslcert
This parameter specifies the file name of the client SSL certificate, replacing the default ~/.postgresql/postgresql.crt. This parameter is ignored if an SSL connection is not made.

sslkey
This parameter specifies the location for the secret key used for the client certificate. It can either specify a file name that will be used instead of the default ~/.postgresql/postgresql.key, or it can specify a key obtained from an external "engine" (engines are OpenSSL loadable modules). An external engine specification should consist of a colon-separated engine name and an engine-specific key identifier. This parameter is ignored if an SSL connection is not made.

sslrootcert
This parameter specifies the name of a file containing SSL certificate authority (CA) certificate(s). If the file exists, the server's certificate will be verified to be signed by one of these authorities. The default is ~/.postgresql/root.crt.
johicks commented 7 years ago

Thanks, that makes sense. I'm testing it out, and it looks like it's at least loading the root now, as I am not getting the error: 'x509: failed to load system roots and no roots provided' error.

Here's my string (that I'm throwing into the browser...): postgres://ab-arm@[redacted]/ab-arm?sslmode=verify-full&sslcert=/a/secrets/app/ssl_cert/ssl_cert.certificate&sslkey=/a/secrets/app/ssl_cert/ssl_cert.private_key&sslrootcert=/a/secrets/app/ssl_cert/ssl_cert.chain_cert

It's throwing the following: pq: connection requires a valid client certificate

sosedoff commented 7 years ago

@johicks any luck with certs? i didnt have any time to look into your issue, sorry.

sosedoff commented 7 years ago

Would love to get more feedback. Closing due to no activity.

antoniomo commented 6 years ago

Sorry for reopening, when testing with cockroachdb 2 (which AFAIK should support pgweb) on secure mode, I can't get a self signed root cert to work:

pgweb --url postgres://root@localhost:26257/testdb?sslmode=verify-full&sslcert=client.root.crt&sslkey=client.root.key&sslrootcert=ca.crt

Pgweb v0.9.12 (git: 9af721176bf7b41366f0de8251fff0b47da8fce3)
Connecting to server...
Error: x509: certificate signed by unknown authority

Any ideas?