[英]Unable to connect to PostgreSQL with SSL on Django
My Django application is hosted on one server, and my PostgreSQL database on another.我的 Django 应用程序托管在一台服务器上,而我的 PostgreSQL 数据库托管在另一台服务器上。 I want the communication between the two servers to be forced to go through SSL.
我希望两台服务器之间的通信通过 SSL 强制到 go。
My database configuration in Django's settings.py
:我在 Django 的
settings.py
中的数据库配置:
'default': {
'ENGINE': 'django.db.backends.postgresql_psycopg2',
'NAME': os.environ.get("DB_NAME"),
'USER': os.environ.get("DB_USER"),
'PASSWORD': os.environ.get("DB_PASS"),
'HOST': os.environ.get("DB_HOST"),
'PORT': '5432',
'OPTIONS': {
'sslmode': 'verify-full',
'sslrootcert': '/home/{user}/.postgresql/default_root.crt',
'sslcert': '/home/{user}/.postgresql/default.crt',
'sslkey': '/home/{user}/.postgresql/default.key',
},
}
My configurations in the pg_hba.conf
file:我在
pg_hba.conf
文件中的配置:
hostssl {DB_NAME} {DB_USER} {DJANGO_SERVER_IP} md5 clientcert=1
Running python manage.py dbshell --database default
throws the following errors:运行
python manage.py dbshell --database default
会抛出以下错误:
psql: FATAL: connection requires a valid client certificate
FATAL: no pg_hba.conf entry for host "{DB_HOST}", user "{DB_USER}", database "{DB_NAME}", SSL off
The full error traceback:完整的错误回溯:
Traceback (most recent call last):
File "manage.py", line 20, in <module>
main()
File "manage.py", line 16, in main
execute_from_command_line(sys.argv)
File "/home/{user}/.virtualenvs/{project_name}/lib/python3.6/site-packages/django/core/management/__init__.py", line 381, in execute_from_command_line
utility.execute()
File "/home/{user}/.virtualenvs/{project_name}/lib/python3.6/site-packages/django/core/management/__init__.py", line 375, in execute
self.fetch_command(subcommand).run_from_argv(self.argv)
File "/home/{user}/.virtualenvs/{project_name}/lib/python3.6/site-packages/django/core/management/base.py", line 323, in run_from_argv
self.execute(*args, **cmd_options)
File "/home/{user}/.virtualenvs/{project_name}/lib/python3.6/site-packages/django/core/management/base.py", line 364, in execute
output = self.handle(*args, **options)
File "/home/{user}/.virtualenvs/{project_name}/lib/python3.6/site-packages/django/core/management/commands/dbshell.py", line 22, in handle
connection.client.runshell()
File "/home/{user}/.virtualenvs/{project_name}/lib/python3.6/site-packages/django/db/backends/postgresql/client.py", line 71, in runshell
DatabaseClient.runshell_db(self.connection.get_connection_params())
File "/home/{user}/.virtualenvs/{project_name}/lib/python3.6/site-packages/django/db/backends/postgresql/client.py", line 61, in runshell_db
subprocess.check_call(args)
File "/usr/lib/python3.6/subprocess.py", line 311, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['psql', '-U', '{DB_USER}', '-h', '{DB_HOST}', '-p', '5432', '{DB_NAME}']' returned non-zero exit status 2.
However, when I run psycopg2.connect("host={DB_HOST} dbname={DB_NAME} user={DB_USER} password={DB_PASS} sslmode=verify-full sslcert=/home/{user}/.postgresql/default.crt sslkey=/home/{user}/.postgresql/default.key sslrootcert=/home/{user}/.postgresql/default_root.crt")
in the Django python shell, connection can be established.但是,当我运行
psycopg2.connect("host={DB_HOST} dbname={DB_NAME} user={DB_USER} password={DB_PASS} sslmode=verify-full sslcert=/home/{user}/.postgresql/default.crt sslkey=/home/{user}/.postgresql/default.key sslrootcert=/home/{user}/.postgresql/default_root.crt")
在 Django python Z2591C98B70119FE6E948 可以建立连接。
Also, openssl verify -CAfile default_root.crt default.crt
shows default.crt: OK
.此外,
openssl verify -CAfile default_root.crt default.crt
显示default.crt: OK
。
Any help will be greatly appreciated.任何帮助将不胜感激。 Thanks in advance!
提前致谢!
it seems this bug (for dbshell) solved 6 months ago, https://code.djangoproject.com/ticket/30370看来这个错误(对于 dbshell)在 6 个月前解决了, https://code.djangoproject.com/ticket/30370
can you check your django version, maybe it's older one你能检查一下你的 django 版本吗,可能是旧版本
also i noticed that, in code tests they used 'verify-ca' for sslmode我还注意到,在代码测试中,他们对 sslmode 使用了“verify-ca”
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.