Postgres HA 備用不使用證書

Question

使用 Postgresql 11.2 進行熱備用設置。 問題是我們需要在身份驗證過程中使用證書。 如果我從備用 postgresql.conf 中注釋掉 ssl/certificate 行，我會得到同樣的錯誤。 所以我不相信備用服務器正在使用我指定的證書來創建與主服務器的連接。 如何告訴 Postgresql 哪些證書用於傳出復制連接？

主 pg_hba.conf：

# PostgreSQL Client Authentication Configuration File
local     all             all                                    md5
host      all             all                   127.0.0.1/32     md5
host      all             user                  fe80::/10        md5
host      all             all                   ::1/128          md5
hostssl   all             user                  ::/0             cert map=cert
hostssl   all             user                  0.0.0.0/0        cert map=cert
hostssl   replication     user                  ::/0             cert map=cert
hostssl   replication     user                  0.0.0.0/0        cert map=cert

主 pg_ident.conf：

cert /^(.*)$ user

主postgresql.conf：

bytea_output = hex
standard_conforming_strings = on
wal_level = replica
archive_mode  = on
max_wal_senders = 5
wal_keep_segments = 32
listen_addresses = '*'
listen_addresses = '*'
ssl = on
ssl_cert_file = '/opt/server/config/Server-signed.crt'
ssl_key_file = '/opt/server/config/Server.key'
ssl_ca_file = '/opt/server/config/master.crt'

備用recovery.conf：

standby_mode = 'on'
primary_conninfo = 'host=example.url.com port=5432 user=user password=NoTThePassword sslmode=require'
restore_command = 'cp /opt/pgsql/data/archive/%f %p'
archive_cleanup_command = 'pg_archivecleanup /opt/pgsql/data/archive %r'

備用 postgresql.conf：

bytea_output = hex
standard_conforming_strings = on
wal_level = replica
archive_mode  = on
max_wal_senders = 5
wal_keep_segments = 32
listen_addresses = '*'
ssl = on
ssl_cert_file = '/opt/server/config/7/client-7-signed.crt'
ssl_key_file = '/opt/server/config/7/client-7.key'
ssl_ca_file = '/opt/server/config/7/master.crt'

主output：

2019-11-15 12:23:15.784 CST [28044] LOG:  database system is ready to accept connections
2019-11-15 12:23:21.650 CST [28068] FATAL:  connection requires a valid client certificate
2019-11-15 12:23:21.670 CST [28069] FATAL:  connection requires a valid client certificate

備用 Output：

2019-11-15 12:23:21.630 CST [7571] LOG:  database system is ready to accept read only connections
2019-11-15 12:23:21.644 CST [7577] FATAL:  could not connect to the primary server: FATAL:  connection requires a valid client certificate
cp: cannot stat ‘/opt/pgsql/data/archive/000000010000000000000001’: No such file or directory
2019-11-15 12:23:21.664 CST [7579] FATAL:  could not connect to the primary server: FATAL:  connection requires a valid client certificate

注意：我編輯了日志/配置文件以刪除敏感路徑/urls/用戶名

Answer 1

您在備用服務器的 postgresql.conf 中指定的證書用於備用服務器接收的連接，而不是它建立的連接。

當備用服務器作為客戶端連接到主服務器時，它使用它在~/.postgresql/或%APPDATA%\postgresql\中找到的內容，除非您覆蓋連接字符串中的這些設置（如 Brinnis 建議的那樣）或通過環境變量。 當然這里的“~”是指運行PostgreSQL備用服務器的用戶的主目錄，通常是名為“postgres”的用戶。

Answer 2

您在 Standbys recovery.conf 的 primary_conninfo 中設置這些值。

我的現在看起來像這樣：

primary_conninfo = 'host=example.url.com port=5432 user=user password=NoTThePassword sslmode=require sslcert=/opt/server/config/7/client-7-signed.crt sslkey=/opt/server/config/7/client-7.key sslrootcert=/opt/server/config/7/master.crt'

所有可以在 primary_conninfo 中的 go 的值都記錄在這里： https://www.postgresql.org/docs/9.4/libpq-connect