无法使用 Django 上的 SSL 连接到 PostgreSQL

Question

My Django application is hosted on one server, and my PostgreSQL database on another. I want the communication between the two servers to be forced to go through SSL.

My database configuration in Django's settings.py :

'default': {
        'ENGINE': 'django.db.backends.postgresql_psycopg2',
        'NAME': os.environ.get("DB_NAME"),
        'USER': os.environ.get("DB_USER"),
        'PASSWORD': os.environ.get("DB_PASS"),
        'HOST': os.environ.get("DB_HOST"),
        'PORT': '5432',
        'OPTIONS': {
                 'sslmode': 'verify-full',
                 'sslrootcert': '/home/{user}/.postgresql/default_root.crt',
                 'sslcert': '/home/{user}/.postgresql/default.crt',
                 'sslkey': '/home/{user}/.postgresql/default.key',
                },
    }

My configurations in the pg_hba.conf file:

hostssl {DB_NAME}   {DB_USER}   {DJANGO_SERVER_IP}        md5 clientcert=1

Running python manage.py dbshell --database default throws the following errors:

psql: FATAL:  connection requires a valid client certificate
FATAL:  no pg_hba.conf entry for host "{DB_HOST}", user "{DB_USER}", database "{DB_NAME}", SSL off

The full error traceback:

Traceback (most recent call last):
  File "manage.py", line 20, in <module>
    main()
  File "manage.py", line 16, in main
    execute_from_command_line(sys.argv)
  File "/home/{user}/.virtualenvs/{project_name}/lib/python3.6/site-packages/django/core/management/__init__.py", line 381, in execute_from_command_line
    utility.execute()
  File "/home/{user}/.virtualenvs/{project_name}/lib/python3.6/site-packages/django/core/management/__init__.py", line 375, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/home/{user}/.virtualenvs/{project_name}/lib/python3.6/site-packages/django/core/management/base.py", line 323, in run_from_argv
    self.execute(*args, **cmd_options)
  File "/home/{user}/.virtualenvs/{project_name}/lib/python3.6/site-packages/django/core/management/base.py", line 364, in execute
    output = self.handle(*args, **options)
  File "/home/{user}/.virtualenvs/{project_name}/lib/python3.6/site-packages/django/core/management/commands/dbshell.py", line 22, in handle
    connection.client.runshell()
  File "/home/{user}/.virtualenvs/{project_name}/lib/python3.6/site-packages/django/db/backends/postgresql/client.py", line 71, in runshell
    DatabaseClient.runshell_db(self.connection.get_connection_params())
  File "/home/{user}/.virtualenvs/{project_name}/lib/python3.6/site-packages/django/db/backends/postgresql/client.py", line 61, in runshell_db
    subprocess.check_call(args)
  File "/usr/lib/python3.6/subprocess.py", line 311, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['psql', '-U', '{DB_USER}', '-h', '{DB_HOST}', '-p', '5432', '{DB_NAME}']' returned non-zero exit status 2.

However, when I run psycopg2.connect("host={DB_HOST} dbname={DB_NAME} user={DB_USER} password={DB_PASS} sslmode=verify-full sslcert=/home/{user}/.postgresql/default.crt sslkey=/home/{user}/.postgresql/default.key sslrootcert=/home/{user}/.postgresql/default_root.crt") in the Django python shell, connection can be established.

Also, openssl verify -CAfile default_root.crt default.crt shows default.crt: OK .

Any help will be greatly appreciated. Thanks in advance!

Answer 1

it seems this bug (for dbshell) solved 6 months ago, https://code.djangoproject.com/ticket/30370

can you check your django version, maybe it's older one

also i noticed that, in code tests they used 'verify-ca' for sslmode