Misunderstanding about automatic certficate setup?

[sacrophyte]

The documentation for SSL certificates says:
"It is still possible to give the certificates to pg_auto_failover and have it handle the setup for you, including the creation of and signing of client certificates for the autoctl_node and pgautofailover_replication users:"
https://pg-auto-failover.readthedocs.io/en/master/security.html#using-your-own-ssl-certificates

I created a monitor:

pg_autoctl create monitor \
 --ssl-ca-file /etc/pki/tls/certs/urblimsdbdev2a/server-chain.crt \
 --server-cert /etc/pki/tls/certs/urblimsdbdev2a/server.crt \
 --server-key /etc/pki/tls/private/urblimsdbdev2a/server.key \
 --ssl-mode verify-full \
 --skip-pg-hba \
 --hostname localhost \
 --pgdata $DB_HOME/monitor \
 --pgport 5433```

I started the monitor. Then I attempted to create a node, but had connection errors:
```pg_autoctl create postgres \
 --ssl-ca-file /etc/pki/tls/certs/urblimsdbdev2a/server-chain.crt \
 --server-cert /etc/pki/tls/certs/urblimsdbdev2a/server.crt \
 --server-key /etc/pki/tls/private/urblimsdbdev2a/server.key \
 --skip-pg-hba \
 --pgdata $DB_HOME/data \
 --pgport 5432 \
 --hostname urblimsdbdev2a \
 --dbname postgres \
 --name dev2a \
 --monitor 'postgres://autoctl_node@urblimsdbdev2a:5433/pg_auto_failover?sslmode=require'```


```09:08:46 1927678 INFO  Using default --ssl-mode "verify-full"
09:08:46 1927678 INFO  Started pg_autoctl postgres service with pid 1927683
09:08:46 1927683 INFO   /usr/pgsql-12/bin/pg_autoctl do service postgres --pgdata /var/lib/pgsql/12/data -v
09:08:46 1927678 INFO  Started pg_autoctl node-init service with pid 1927684
09:08:46 1927684 INFO  Registering Postgres system 6937837120648867222 found at "/var/lib/pgsql/12/data"
09:08:46 1927684 WARN  Failed to connect to "postgres://autoctl_node@urblimsdbdev2a:5433/pg_auto_failover?sslmode=require", retrying until the server is ready
09:08:46 1927684 WARN  Connection to database failed: FATAL:  no pg_hba.conf entry for host "64.22.189.192", user "autoctl_node", database "pg_auto_failover", SSL on
09:08:46 1927684 WARN  Failed to connect after successful ping, please verify authentication and logs on the server at "postgres://autoctl_node@urblimsdbdev2a:5433/pg_auto_failover?sslmode=require"
09:08:46 1927684 WARN  Authentication might have failed on the Postgres server due to missing HBA rules.
^C09:10:05 1927683 INFO  Postgres controller service received signal SIGINT, terminating
09:10:05 1927678 INFO  pg_autoctl received signal SIGINT, terminating
09:10:05 1927684 ERROR Failed to connect to "postgres://autoctl_node@urblimsdbdev2a:5433/pg_auto_failover?sslmode=require" after 84 attempts in 79 seconds, pg_autoctl stops retrying now
09:10:05 1927684 ERROR Failed to open a SQL transaction to register this node
09:10:05 1927684 ERROR Failed to register the existing local Postgres node "urblimsdbdev2a:5432" running at "/var/lib/pgsql/12/data"to the pg_auto_failover monitor at postgres://autoctl_node@urblimsdbdev2a:5433/pg_auto_failover?sslmode=require, see above for details
09:10:05 1927678 INFO  Stop pg_autoctl```

What did I misunderstand about this process?

[sacrophyte]

I also tried removing --skip-pg-hba \, but got the same error

[sacrophyte]

Where are the client certificates that pg_autoctl created?

[DimCitus]

When using the --ssl-ca-file and other options, the file that is given is expected to exist already. That's because you need to arrange for the signature to happen on a setup where the private key is available, and the private root certificate is certainly not something pg_autoctl should ever deal with.

The option that leads to pg_autoctl creating self-signed SSL certificates for you is --ssl-self-signed. That's it.

[DimCitus]

For a full run-down example of how to setup certificate based authentication with pg_auto_failover, you might be interested in using the following unit test as inspiration: https://github.com/citusdata/pg_auto_failover/blob/master/tests/test_ssl_cert.py.

[JelteF]

I think the core takeaway of this issue is that this sentence should be changed in the docs, because it is not true:

It is still possible to give the certificates to pg_auto_failover and have it handle the setup for you, including the creation of and signing of client certificates for the autoctl_node and pgautofailover_replication users.

All certificates should already be created and signed.