Unable to connect to SSL Postgres External Database with Debian (Certificate Permission Errors)

Asked
Active3 hr before
Viewed126 times

6 Answers

postgresdatabaseconnectunable
90%

Meta Stack Overflow , Stack Overflow Public questions & answers , Stack Overflow help chat ,I am able to connect to an external SSL Postgres Database using xampp and PHP, but when I try it on my debian linux server, I am unable to establish a connection.

Script Example

< ? php
// define constants
define('DB_HOST', '1.1.1.1');
define('DB_USER', 'usr');
define('DB_PASS', 'pw');
define('DB_NAME', 'db');
define('DB_PORT', '5432');

// connection string with SSL certificate files 
$conn_str = 'host='.DB_HOST.
' ';
$conn_str. = 'port='.DB_PORT.
' ';
$conn_str. = 'dbname='.DB_NAME.
' ';
$conn_str. = 'user='.DB_USER.
' ';
$conn_str. = 'password='.DB_PASS.
' ';
$conn_str. = 'sslmode=verify-full ';
$conn_str. = 'sslcert=etc/apache/ssl/postgresql.crt ';
$conn_str. = 'sslkey=etc/apache/ssl/postgresql.key ';
$conn_str. = 'sslrootcert=etc/apache/ssl/root.key ';

// attempt connection
$conn = pg_connect($conn_str) or die('Cannot connect to database.');

// set sql string
$sql = 'SELECT * FROM locations;';

// query and iterate results
if ($result = pg_query($conn, $sql))
   while ($row = pg_fetch_row($result)) {
      var_dump($row);
   }

// close it up
pg_close(); ?
>
load more v
88%

I have a PostgreSQL 9.6.11 database on Amazon Linux that has been configured with a 2048-bit SSL wildcard server certificate and password-based (no client certificates) remote connections since January 2012. After a recent certificate upgrade (Comodo, now Sectigo), I can no longer establish remote psql or JDBC connections to this database over SSL.,And also examined the text versions of the certificates to confirm that the intermediate and root certificates have the v3_ca extension (the wildcard server certificate does not have this extension):,Create the bundled intermediate and root certificates (those with the v3_ca extension) for Path #2 (although this would only be needed when requiring client certificates):,Create the bundled intermediate and root certificates (those with the v3_ca extension) for Path #1 (although this would only be needed when requiring client certificates):

I just created a script to generate all you need to setup SSL with full verification. Can you please run it and confirm if it works ?

#!/bin/bash

rm -rf /tmp/pg-ssl
mkdir -p /tmp/pg-ssl

openssl req -new -nodes -text -out root.csr -keyout root.key -subj "/CN=root.yourdomain.com"
chmod og-rwx root.key
openssl x509 -req -in root.csr -text -days 3650 -extfile /etc/ssl/openssl.cnf -extensions v3_ca -signkey root.key -out root.crt


openssl req -new -nodes -text -out intermediate.csr -keyout intermediate.key -subj "/CN=intermediate.yourdomain.com"
chmod og-rwx intermediate.key
openssl x509 -req -in intermediate.csr -text -days 1825 -extfile /etc/ssl/openssl.cnf -extensions v3_ca -CA root.crt -CAkey root.key -CAcreateserial -out intermediate.crt


openssl req -new -nodes -text -out server.csr -keyout server.key -subj "/CN=dbhost.yourdomain.com"
chmod og-rwx server.key
openssl x509 -req -in server.csr -text -days 365 -CA intermediate.crt -CAkey intermediate.key -CAcreateserial -out server.crt

cat server.crt intermediate.crt > bundle.crt


echo "ssl = true"
echo "ssl_cert_file = '/tmp/pg-ssl/bundle.crt'"
echo "ssl_key_file = '/tmp/pg-ssl/server.key'"

echo "add server ip in hosts file <IP> dbhost.yourdomain.com"
   echo "copy root.crt to client"
   echo 'connect with psql "postgresql://dev@dbhost.yourdomain.com:5432/dev?ssl=true&sslmode=verify-full&sslrootcert=/tmp/pg-ssl/root.crt"'
load more v
72%

OpenSSL supports a wide range of ciphers and authentication algorithms, of varying strength. While a list of ciphers can be specified in the OpenSSL configuration file, you can specify ciphers specifically for use by the database server by modifying ssl_ciphers in postgresql.conf.,because the server will reject the file if its permissions are more liberal than this. For more details on how to create your server private key and certificate, refer to the OpenSSL documentation.,The clientcert option in pg_hba.conf is available for all authentication methods, but only for rows specified as hostssl. When clientcert is not specified or is set to 0, the server will still verify presented client certificates against root.crt if that file exists — but it will not insist that a client certificate be presented.,to turn the certificate into a self-signed certificate and to copy the key and certificate to where the server will look for them. Finally do:

To create a quick self-signed certificate for the server, use the following OpenSSL command:

openssl req - new - text - out server.req
load more v
65%

Then restart the database instance to make sure SSL is enabled.,The connection has been successfully encrypted. If “ssl = true”, then we have succeeded.,PostgreSQL InfrastructureSetup & InstallationKubernetesDatabase architecture,Business CasesFraud DetectionPostgreSQL for biotech and scientific applications

The first thing we have to do to set up OpenSSL is to change postgresql.conf. There are a couple of parameters which are related to encryption:

 ssl = on
 #ssl_ca_file = ''
 #ssl_cert_file = 'server.crt'
 #ssl_crl_file = ''
 #ssl_key_file = 'server.key'
 #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
 # allowed SSL ciphers
 #ssl_prefer_server_ciphers = on
 #ssl_ecdh_curve = 'prime256v1'
 #ssl_min_protocol_version = 'TLSv1.2'
 #ssl_max_protocol_version = ''
 #ssl_dh_params_file = ''
 #ssl_passphrase_command = ''
 #ssl_passphrase_command_supports_reload = off
load more v
75%

ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure,"ERROR 2026 (HY000): SSL connection error",ERROR 2026 (HY000): SSL connection error: Server doesn't support SSL,ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation

[ec2 - user @ip - 192 - 0 - 2 - 0~] $ mysql - h abcdefg - clust.cluster - xxxx.us - east - 1. rds.amazonaws.com--ssl - ca rds - combined - ca - bundle.pem--ssl - mode = VERIFY_IDENTITY - u test - p test
Enter password:
   ERROR 2026(HY000): SSL connection error: SSL certificate validation failure
load more v
40%

With the telnet command, you can test connectivity to remote computers and issue commands. If you specify a port as a parameter for the telnet command, you can test connectivity to a remote host on the given port. If the connection is successful, you see the message: Connected to <host_IP>.,In the command line window, specify the username that you use for the SSH tunnel and press Enter. Do not close the command line window.,For security reasons, DBMS usually drops all telnet connections. The telnet command allows you to check if the port is opened for communication.,In the Class field, specify the value that you want to use for the driver .

Databases can work locally, on a server, or in the cloud. For server and cloud databases, you need a network connection. To verify that connection is available, use ping and telnet commands.

With the ping command, you can ensure that the destination computer is reachable from the source computer. Open a command line and type the following command: ping -a <host_IP>, where -a is a command option that resolves addresses to hostnames (if it is possible). If you use hostnames with the ping command, a hostname is resolved to the IP address. For example, ping -a example.com resolves to PING example.com (93.184.216.34).

ping -a <host_IP>

Databases can work locally, on a server, or in the cloud. For server and cloud databases, you need a network connection. To verify that connection is available, use ping and telnet commands.

With the ping command, you can ensure that the destination computer is reachable from the source computer. Open a command line and type the following command: ping -a <host_IP>, where -a is a command option that resolves addresses to hostnames (if it is possible). If you use hostnames with the ping command, a hostname is resolved to the IP address. For example, ping -a example.com resolves to PING example.com (93.184.216.34).

-a

Databases can work locally, on a server, or in the cloud. For server and cloud databases, you need a network connection. To verify that connection is available, use ping and telnet commands.

With the ping command, you can ensure that the destination computer is reachable from the source computer. Open a command line and type the following command: ping -a <host_IP>, where -a is a command option that resolves addresses to hostnames (if it is possible). If you use hostnames with the ping command, a hostname is resolved to the IP address. For example, ping -a example.com resolves to PING example.com (93.184.216.34).

ping - a example.com

Databases can work locally, on a server, or in the cloud. For server and cloud databases, you need a network connection. To verify that connection is available, use ping and telnet commands.

With the ping command, you can ensure that the destination computer is reachable from the source computer. Open a command line and type the following command: ping -a <host_IP>, where -a is a command option that resolves addresses to hostnames (if it is possible). If you use hostnames with the ping command, a hostname is resolved to the IP address. For example, ping -a example.com resolves to PING example.com (93.184.216.34).

PING example.com(93.184 .216 .34)
load more v

Other "postgres-database" queries related to "Unable to connect to SSL Postgres External Database with Debian (Certificate Permission Errors)"