[英]Postgres HA standby not using certificate
使用 Postgresql 11.2 進行熱備用設置。 問題是我們需要在身份驗證過程中使用證書。 如果我從備用 postgresql.conf 中注釋掉 ssl/certificate 行,我會得到同樣的錯誤。 所以我不相信備用服務器正在使用我指定的證書來創建與主服務器的連接。 如何告訴 Postgresql 哪些證書用於傳出復制連接?
主 pg_hba.conf:
# PostgreSQL Client Authentication Configuration File
local all all md5
host all all 127.0.0.1/32 md5
host all user fe80::/10 md5
host all all ::1/128 md5
hostssl all user ::/0 cert map=cert
hostssl all user 0.0.0.0/0 cert map=cert
hostssl replication user ::/0 cert map=cert
hostssl replication user 0.0.0.0/0 cert map=cert
主 pg_ident.conf:
cert /^(.*)$ user
主postgresql.conf:
bytea_output = hex
standard_conforming_strings = on
wal_level = replica
archive_mode = on
max_wal_senders = 5
wal_keep_segments = 32
listen_addresses = '*'
listen_addresses = '*'
ssl = on
ssl_cert_file = '/opt/server/config/Server-signed.crt'
ssl_key_file = '/opt/server/config/Server.key'
ssl_ca_file = '/opt/server/config/master.crt'
備用recovery.conf:
standby_mode = 'on'
primary_conninfo = 'host=example.url.com port=5432 user=user password=NoTThePassword sslmode=require'
restore_command = 'cp /opt/pgsql/data/archive/%f %p'
archive_cleanup_command = 'pg_archivecleanup /opt/pgsql/data/archive %r'
備用 postgresql.conf:
bytea_output = hex
standard_conforming_strings = on
wal_level = replica
archive_mode = on
max_wal_senders = 5
wal_keep_segments = 32
listen_addresses = '*'
ssl = on
ssl_cert_file = '/opt/server/config/7/client-7-signed.crt'
ssl_key_file = '/opt/server/config/7/client-7.key'
ssl_ca_file = '/opt/server/config/7/master.crt'
主output:
2019-11-15 12:23:15.784 CST [28044] LOG: database system is ready to accept connections
2019-11-15 12:23:21.650 CST [28068] FATAL: connection requires a valid client certificate
2019-11-15 12:23:21.670 CST [28069] FATAL: connection requires a valid client certificate
備用 Output:
2019-11-15 12:23:21.630 CST [7571] LOG: database system is ready to accept read only connections
2019-11-15 12:23:21.644 CST [7577] FATAL: could not connect to the primary server: FATAL: connection requires a valid client certificate
cp: cannot stat ‘/opt/pgsql/data/archive/000000010000000000000001’: No such file or directory
2019-11-15 12:23:21.664 CST [7579] FATAL: could not connect to the primary server: FATAL: connection requires a valid client certificate
注意:我編輯了日志/配置文件以刪除敏感路徑/urls/用戶名
您在備用服務器的 postgresql.conf 中指定的證書用於備用服務器接收的連接,而不是它建立的連接。
當備用服務器作為客戶端連接到主服務器時,它使用它在~/.postgresql/
或%APPDATA%\postgresql\
中找到的內容,除非您覆蓋連接字符串中的這些設置(如 Brinnis 建議的那樣)或通過環境變量。 當然這里的“~”是指運行PostgreSQL備用服務器的用戶的主目錄,通常是名為“postgres”的用戶。
您在 Standbys recovery.conf 的 primary_conninfo 中設置這些值。
我的現在看起來像這樣:
primary_conninfo = 'host=example.url.com port=5432 user=user password=NoTThePassword sslmode=require sslcert=/opt/server/config/7/client-7-signed.crt sslkey=/opt/server/config/7/client-7.key sslrootcert=/opt/server/config/7/master.crt'
所有可以在 primary_conninfo 中的 go 的值都記錄在這里: https://www.postgresql.org/docs/9.4/libpq-connect
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.