Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to use pgcli service={service} #1474

Open
fmerinocasallo opened this issue Aug 6, 2024 · 0 comments
Open

Unable to use pgcli service={service} #1474

fmerinocasallo opened this issue Aug 6, 2024 · 0 comments

Comments

@fmerinocasallo
Copy link

Description

I am running a PostgreSQL server in a Docker container and using Secure TCP/IP Connections with SSL.

In my postgresql.conf file, I include the following lines:

ssl = on
ssl_ca_file = '/run/secrets/ca.crt'
ssl_cert_file = '/run/secrets/server.crt'
ssl_key_file = '/run/secrets/server.key'
# This setting is on by default but it’s always a good idea to
# be explicit when it comes to security.
ssl_prefer_server_ciphers = on
# TLS 1.3 will give the strongest security and is advised when
# controlling both server and clients.
ssl_min_protocol_version = 'TLSv1.3'

I have a .pg_service.conf file where I define a service named {service}:

[{service}]
host={host}
port={port}
user={user}
dbname={dbname}
sslmode=verify-full
sslrootcert=/path/to/ca.crt
sslcert=/path/to/user.crt
sslkey=/path/to/user.key

The command psql service={service} prompts for the password of the user included in the service definition and successfully connects to the specified database afterwards.

However, the command pgcli service={service} returns the following error message:

connection failed: FATAL:  connection requires a valid client certificate
connection to server at "{host}", port {port} failed: FATAL:  no pg_hba.conf entry for host "{host}", user "{user}", database "{dbname}", no encryption

In the PostgreSQL server logs I see the following entries:

postgres  | 2024-08-06 10:50:35.387 GMT [117]: [1-1] user={user},db={dbname} FATAL:  connection requires a valid client certificate
postgres  | 2024-08-06 10:50:35.390 GMT [118]: [1-1] user={user},db={dbname} FATAL:  no pg_hba.conf entry for host "{host}", user "{user}", database "{dbname}", no encryption

Note that the pg_hba.conf I am using contains the following line:

hostssl {dbname}     {user} {host}/32   scram-sha-256   clientcert=verify-full

Surprisingly, the command pgcli "postgresql://{user}@{host}/{dbname}?port={port}&sslmode=verify-full&sslkey=/path/to/user.key&sslcert=/path/to/user.crt&sslrootcert=/path/to/ca.crt" successfully connects to the specified database after prompting for the user password. Same thing happens if I replace pgcli with psql.

Note that in the .pg_service.conf file I am using the very same paths to the user.key, user.crt, and ca.crt files.

Your environment

  • Debian 12 (bookworm)
  • pgcli 4.1.0 - python 3.12.4 (installed with conda/mamba).
  • Packages included in my conda/mamba env include, among other packages:
    • ca-certificates 2024.7.4-hbcca054_0
    • certifi 2024.7.4-pyhd8ed1ab_0
    • openssl 3.3.1-h4bc722e_2
    • postgresql 16.3-h8e811e2_0
@fmerinocasallo fmerinocasallo changed the title Unable to use pgcli service={service}. Unable to use pgcli service={service} Aug 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fmerinocasallo