Closed johicks closed 7 years ago
Hi, while i havent personally tested the SSL cert stuff with pgweb, you might try adding required ssl paths to the postgresql connection string. See docs for more details.
sslcert
This parameter specifies the file name of the client SSL certificate, replacing the default ~/.postgresql/postgresql.crt. This parameter is ignored if an SSL connection is not made.
sslkey
This parameter specifies the location for the secret key used for the client certificate. It can either specify a file name that will be used instead of the default ~/.postgresql/postgresql.key, or it can specify a key obtained from an external "engine" (engines are OpenSSL loadable modules). An external engine specification should consist of a colon-separated engine name and an engine-specific key identifier. This parameter is ignored if an SSL connection is not made.
sslrootcert
This parameter specifies the name of a file containing SSL certificate authority (CA) certificate(s). If the file exists, the server's certificate will be verified to be signed by one of these authorities. The default is ~/.postgresql/root.crt.
Thanks, that makes sense. I'm testing it out, and it looks like it's at least loading the root now, as I am not getting the error: 'x509: failed to load system roots and no roots provided' error.
Here's my string (that I'm throwing into the browser...): postgres://ab-arm@[redacted]/ab-arm?sslmode=verify-full&sslcert=/a/secrets/app/ssl_cert/ssl_cert.certificate&sslkey=/a/secrets/app/ssl_cert/ssl_cert.private_key&sslrootcert=/a/secrets/app/ssl_cert/ssl_cert.chain_cert
It's throwing the following: pq: connection requires a valid client certificate
@johicks any luck with certs? i didnt have any time to look into your issue, sorry.
Would love to get more feedback. Closing due to no activity.
Sorry for reopening, when testing with cockroachdb 2 (which AFAIK should support pgweb
) on secure mode, I can't get a self signed root cert to work:
pgweb --url postgres://root@localhost:26257/testdb?sslmode=verify-full&sslcert=client.root.crt&sslkey=client.root.key&sslrootcert=ca.crt
Pgweb v0.9.12 (git: 9af721176bf7b41366f0de8251fff0b47da8fce3)
Connecting to server...
Error: x509: certificate signed by unknown authority
Any ideas?
I need to connect to a postgresql server that requires client certs and uses a root cert signed by a custom CA.
As an example, in Python, psycopg2 connection string allows me to specify all my certs: sslcert='/a/secrets/app/ssl_cert/ssl_cert.certificate' sslkey='/a/secrets/app/ssl_cert/ssl_cert.private_key' sslrootcert='/a/secrets/app/ssl_cert/ssl_cert.chain_cert'
Is there a way to do this in pgweb?