Postgres HA standby 不使用证书
Postgres HA standby not using certificate
使用 Postgresql 11.2 进行热备份设置。问题是我们需要使用证书作为身份验证过程的一部分。如果我从备用 postgresql.conf 注释掉 ssl/certificate 行,我会得到同样的错误。所以我不相信备用服务器正在使用我指定的证书来创建与主服务器的连接。我如何告诉 Postgresql 哪些证书用于传出复制连接?
硕士pg_hba.conf:
# PostgreSQL Client Authentication Configuration File
local all all md5
host all all 127.0.0.1/32 md5
host all user fe80::/10 md5
host all all ::1/128 md5
hostssl all user ::/0 cert map=cert
hostssl all user 0.0.0.0/0 cert map=cert
hostssl replication user ::/0 cert map=cert
hostssl replication user 0.0.0.0/0 cert map=cert
硕士pg_ident.conf:
cert /^(.*)$ user
硕士postgresql.conf:
bytea_output = hex
standard_conforming_strings = on
wal_level = replica
archive_mode = on
max_wal_senders = 5
wal_keep_segments = 32
listen_addresses = '*'
listen_addresses = '*'
ssl = on
ssl_cert_file = '/opt/server/config/Server-signed.crt'
ssl_key_file = '/opt/server/config/Server.key'
ssl_ca_file = '/opt/server/config/master.crt'
待机recovery.conf:
standby_mode = 'on'
primary_conninfo = 'host=example.url.com port=5432 user=user password=NoTThePassword sslmode=require'
restore_command = 'cp /opt/pgsql/data/archive/%f %p'
archive_cleanup_command = 'pg_archivecleanup /opt/pgsql/data/archive %r'
待机postgresql.conf:
bytea_output = hex
standard_conforming_strings = on
wal_level = replica
archive_mode = on
max_wal_senders = 5
wal_keep_segments = 32
listen_addresses = '*'
ssl = on
ssl_cert_file = '/opt/server/config/7/client-7-signed.crt'
ssl_key_file = '/opt/server/config/7/client-7.key'
ssl_ca_file = '/opt/server/config/7/master.crt'
主输出:
2019-11-15 12:23:15.784 CST [28044] LOG: database system is ready to accept connections
2019-11-15 12:23:21.650 CST [28068] FATAL: connection requires a valid client certificate
2019-11-15 12:23:21.670 CST [28069] FATAL: connection requires a valid client certificate
待机输出:
2019-11-15 12:23:21.630 CST [7571] LOG: database system is ready to accept read only connections
2019-11-15 12:23:21.644 CST [7577] FATAL: could not connect to the primary server: FATAL: connection requires a valid client certificate
cp: cannot stat ‘/opt/pgsql/data/archive/000000010000000000000001’: No such file or directory
2019-11-15 12:23:21.664 CST [7579] FATAL: could not connect to the primary server: FATAL: connection requires a valid client certificate
注意:我编辑了 logs/config 个文件以删除敏感 paths/urls/usernames
您在备用 recovery.conf 中的 primary_conninfo 中设置了这些值。
我的现在看起来像这样:
primary_conninfo = 'host=example.url.com port=5432 user=user password=NoTThePassword sslmode=require sslcert=/opt/server/config/7/client-7-signed.crt sslkey=/opt/server/config/7/client-7.key sslrootcert=/opt/server/config/7/master.crt'
所有可以进入 primary_conninfo 的值都记录在此处:
https://www.postgresql.org/docs/9.4/libpq-connect.html#LIBPQ-CONNSTRING
您在备用数据库 postgresql.conf 中指定的证书用于备用数据库 接收 的连接,而不用于它 建立的连接 .
当备用服务器作为 client 连接到主服务器时,它将使用它在 ~/.postgresql/ 或 %APPDATA%\postgresql\ 中找到的内容,除非您在连接字符串中覆盖这些设置(如 Brinnis 建议的那样)或通过环境变量。当然这里的'~'指的是运行PostgreSQL备用服务器用户的家目录,通常是'postgres'.
的用户
使用 Postgresql 11.2 进行热备份设置。问题是我们需要使用证书作为身份验证过程的一部分。如果我从备用 postgresql.conf 注释掉 ssl/certificate 行,我会得到同样的错误。所以我不相信备用服务器正在使用我指定的证书来创建与主服务器的连接。我如何告诉 Postgresql 哪些证书用于传出复制连接?
硕士pg_hba.conf:
# PostgreSQL Client Authentication Configuration File
local all all md5
host all all 127.0.0.1/32 md5
host all user fe80::/10 md5
host all all ::1/128 md5
hostssl all user ::/0 cert map=cert
hostssl all user 0.0.0.0/0 cert map=cert
hostssl replication user ::/0 cert map=cert
hostssl replication user 0.0.0.0/0 cert map=cert
硕士pg_ident.conf:
cert /^(.*)$ user
硕士postgresql.conf:
bytea_output = hex
standard_conforming_strings = on
wal_level = replica
archive_mode = on
max_wal_senders = 5
wal_keep_segments = 32
listen_addresses = '*'
listen_addresses = '*'
ssl = on
ssl_cert_file = '/opt/server/config/Server-signed.crt'
ssl_key_file = '/opt/server/config/Server.key'
ssl_ca_file = '/opt/server/config/master.crt'
待机recovery.conf:
standby_mode = 'on'
primary_conninfo = 'host=example.url.com port=5432 user=user password=NoTThePassword sslmode=require'
restore_command = 'cp /opt/pgsql/data/archive/%f %p'
archive_cleanup_command = 'pg_archivecleanup /opt/pgsql/data/archive %r'
待机postgresql.conf:
bytea_output = hex
standard_conforming_strings = on
wal_level = replica
archive_mode = on
max_wal_senders = 5
wal_keep_segments = 32
listen_addresses = '*'
ssl = on
ssl_cert_file = '/opt/server/config/7/client-7-signed.crt'
ssl_key_file = '/opt/server/config/7/client-7.key'
ssl_ca_file = '/opt/server/config/7/master.crt'
主输出:
2019-11-15 12:23:15.784 CST [28044] LOG: database system is ready to accept connections
2019-11-15 12:23:21.650 CST [28068] FATAL: connection requires a valid client certificate
2019-11-15 12:23:21.670 CST [28069] FATAL: connection requires a valid client certificate
待机输出:
2019-11-15 12:23:21.630 CST [7571] LOG: database system is ready to accept read only connections
2019-11-15 12:23:21.644 CST [7577] FATAL: could not connect to the primary server: FATAL: connection requires a valid client certificate
cp: cannot stat ‘/opt/pgsql/data/archive/000000010000000000000001’: No such file or directory
2019-11-15 12:23:21.664 CST [7579] FATAL: could not connect to the primary server: FATAL: connection requires a valid client certificate
注意:我编辑了 logs/config 个文件以删除敏感 paths/urls/usernames
您在备用 recovery.conf 中的 primary_conninfo 中设置了这些值。
我的现在看起来像这样:
primary_conninfo = 'host=example.url.com port=5432 user=user password=NoTThePassword sslmode=require sslcert=/opt/server/config/7/client-7-signed.crt sslkey=/opt/server/config/7/client-7.key sslrootcert=/opt/server/config/7/master.crt'
所有可以进入 primary_conninfo 的值都记录在此处: https://www.postgresql.org/docs/9.4/libpq-connect.html#LIBPQ-CONNSTRING
您在备用数据库 postgresql.conf 中指定的证书用于备用数据库 接收 的连接,而不用于它 建立的连接 .
当备用服务器作为 client 连接到主服务器时,它将使用它在 ~/.postgresql/ 或 %APPDATA%\postgresql\ 中找到的内容,除非您在连接字符串中覆盖这些设置(如 Brinnis 建议的那样)或通过环境变量。当然这里的'~'指的是运行PostgreSQL备用服务器用户的家目录,通常是'postgres'.