Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with SSL support in the official docker image #989

Closed
AndreasMainik opened this issue Aug 22, 2022 · 2 comments
Closed

Issue with SSL support in the official docker image #989

AndreasMainik opened this issue Aug 22, 2022 · 2 comments
Labels
question Usability question, not directly related to an error with the image

Comments

@AndreasMainik
Copy link

I have an issue with enabling of SSL support on postgres docker image. The host is Window 10 machine. The following configuration is used in docker-compose.yml.

version: '3.5'
services:
  postgresserver:
    image: postgres:14.5
    container_name: postgresserver 
    ports:
      - "5432:5432"
    environment:
      POSTGRES_PASSWORD: my_password
      PGPORT: 5432
      command: -c ssl=on -c ssl_cert_file=/var/lib/postgresql/server.crt -c ssl_key_file=/var/lib/postgresql/server.key -c ssl_ca_file=/var/lib/postgresql/CA.pem -c clientcert=verify-ca
    volumes:
      - "./certs/myCA.pem:/var/lib/postgresql/CA.pem"
      - "./certs/postgresserver.internal.crt:/var/lib/postgresql/server.crt"
      - "./certs/postgresserver.internal.key:/var/lib/postgresql/server.key"
    networks:
      default:
        aliases:
          - postgresserver.internal
  openssl:
    image: shamelesscookie/openssl:1.1.1
    container_name: openssl
    stdin_open: true
    tty: true
   
networks:
  default:
    name: dummy network
    driver: bridge
    ipam:
      config:
        - subnet: 172.177.0.0/16

The files server.crt, server.key contain the server certificate and the private key signed by my own CA athorities whose certificate is in CA.pem

I have tried to connect using the pre-installed psql-client from Windows PowerShell on host as follows:

& 'C:\Program Files\PostgreSQL\14\bin\psql.exe' "sslmode=require host=localhost port=5432 dbname=test"

This call have produced the following output:

psql: error: connection to server at "localhost" (::1), port 5432 failed: server does not support SSL, but SSL was required

The call without "sslmode=require" switch works like a charm.

I have also tried to use openssl from openssl container as follows:

openssl s_client -starttls postgres -connect postgresserver:5432

This call has produced the following output:

CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 1 bytes and written 8 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
@wglambert wglambert transferred this issue from docker-library/docs Aug 22, 2022
@wglambert wglambert added the question Usability question, not directly related to an error with the image label Aug 22, 2022
@wglambert
Copy link

Your command: line is indented two spaces too far. I also ran into [42] FATAL: unrecognized configuration parameter "clientcert" so I removed that, and I think the server.pem isn't necessary. Also ensure you have proper permissions on the files: server.crt is chmod 777. server.key is chown 999 and chmod 600

$ cat docker-compose.yml
version: '3.5'
services:
  postgresserver:
    image: postgres:14.5
    container_name: postgresserver
    ports:
      - "5432:5432"
    environment:
      POSTGRES_PASSWORD: my_password
      PGPORT: 5432
    command: -c ssl=on -c ssl_cert_file=/var/lib/postgresql/server.crt -c ssl_key_file=/var/lib/postgresql/server.key
    volumes:
      - ./server.crt:/var/lib/postgresql/server.crt
      - ./server.key:/var/lib/postgresql/server.key
$ ls -ln
total 12
-rw-r--r-- 1 1000 1000  444 Aug 22 16:57 docker-compose.yml
-rwxrwxrwx 1    0 1000 1939 Aug 22 16:01 server.crt
-rw------- 1  999  999 3272 Aug 22 16:00 server.key

$ docker-compose up -d
Creating network "postgres_default" with the default driver
Creating postgresserver ... done

$ docker-compose logs | tail -n 10
postgresserver    | server stopped
postgresserver    |
postgresserver    | PostgreSQL init process complete; ready for start up.
postgresserver    |
postgresserver    | 2022-08-22 16:59:21.528 UTC [1] LOG:  starting PostgreSQL 14.5 (Debian 14.5-1.pgdg110+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 10.2.1-6) 10.2.1 20210110, 64-bit
postgresserver    | 2022-08-22 16:59:21.529 UTC [1] LOG:  listening on IPv4 address "0.0.0.0", port 5432
postgresserver    | 2022-08-22 16:59:21.529 UTC [1] LOG:  listening on IPv6 address "::", port 5432
postgresserver    | 2022-08-22 16:59:21.531 UTC [1] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
postgresserver    | 2022-08-22 16:59:21.535 UTC [59] LOG:  database system was shut down at 2022-08-22 16:59:21 UTC
postgresserver    | 2022-08-22 16:59:21.541 UTC [1] LOG:  database system is ready to accept connections

$ docker run -it --network=host --rm postgres bash
root@demo:/# psql "sslmode=require host=localhost user=postgres password=my_password"
psql (14.5 (Debian 14.5-1.pgdg110+1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

postgres=#

@wglambert
Copy link

Closing assuming this is resolved

@ImreSamu ImreSamu mentioned this issue May 13, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Usability question, not directly related to an error with the image
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AndreasMainik @wglambert