TLS server config seems to be ignored

[jalberto]

Using:

SERVER_TLS_SSLMODE=require

I can see in the logs the generated ini file:

[databases]
* = host=host port=5432 user=user password=pw

[pgbouncer]
# Generic settings
listen_addr = 0.0.0.0
auth_type = any
ignore_startup_parameters = extra_float_digits

# Log settings
admin_users = postgres

# Connection sanity checks, timeouts

# TLS settings
server_tls_sslmode = prefer

# Dangerous timeouts
################## end file ##################

But when trying to connect:

login attempt: db=db user=uder tls=no
new connection to server (from 172.17.0.3:45586)
WARNING TLS handshake error: handshake failed: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error
closing because: server conn crashed? (age=0)

Notice: tls=no

Is it possible the image is missing some ssl lib?

[brainsam]

Hi, Jose!
First of all, it looks like you typed SERVER_TLS_SSLMODE=prefer to get that pgbouncer.ini
Did you read this issue #105?

[brainsam]

to tell the truth, I haven't tested tls settings before, will try to reproduce and fix this near days

[jalberto]

Hi @brainsam

Yes you are right, I mean prefer, but I tried with require too.

That issue you mention seems to be related to client SSL not server SSL, also they are talking about connection using certificates (verify mode) with require/prefer/allow the cert is not checked against a local cert, just use a SSL connection.

Thank for your help!

[edevil]

I have the same problem. Has a solution been found?

[arsa666]

has this issue been solved? I have same problem.