[prev in list] [next in list] [prev in thread] [next in thread]
List: postgresql-general
Subject: Re: "Failed to connect to Postgres database" : No usage specified for certificate (update)
From: Marco Ippolito <ippolito.marco () gmail ! com>
Date: 2019-09-30 16:21:56
Message-ID: CAFegzBSO1mRbm7OACt=5GX_BtAaGMnQRgMpdduik0HJuErq6Rw () mail ! gmail ! com
[Download RAW message or body]
Hi Adrian,
important update.
After adding in fabric-ca-server-config.yaml
ca:
# Name of this CA
name: fabric_ca
# Key file (is only used to import a private key into BCCSP)
keyfile: /etc/ssl/private/fabric_ca.key
# Certificate file (default: ca-cert.pem)
certfile: /etc/ssl/certs/fabric_ca.pem
# Chain file
chainfile:
Now I get this message:
(base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server init -b admin:adminpw
2019/09/30 18:10:41 [INFO] Configuration file location:
/home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
2019/09/30 18:10:41 [INFO] Server Version: 1.4.4
2019/09/30 18:10:41 [INFO] Server Levels: &{Identity:2 Affiliation:1
Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/09/30 18:10:41 [INFO] The CA key and certificate files already exist
2019/09/30 18:10:41 [INFO] Key file location: /etc/ssl/private/fabric_ca.key
2019/09/30 18:10:41 [INFO] Certificate file location:
/etc/ssl/certs/fabric_ca.pem
2019/09/30 18:10:41 [FATAL] Initialization failure: Validation of
certificate and key failed: Invalid certificate in file
'/etc/ssl/certs/fabric_ca.pem': No usage specified for certificate
This is the start of /etc/ssl/certs/fabric_ca.pem:
-----BEGIN CERTIFICATE-----
MIIDlTCCAn2gAwIBAgIUCm243lybs0PNfAEdgbuw0chmjWkwDQYJKoZIhvcNAQEL
and this is its end:
xNItFJulgsA1
-----END CERTIFICATE-----
What does it mean "No usage specified for certificate" ?
Il giorno lun 30 set 2019 alle ore 18:01 Marco Ippolito <
ippolito.marco@gmail.com> ha scritto:
> Following the indications found here:
> https://joelonsql.com/2013/04/27/securing-postgresql-using-hostssl-cert-clientcert1/
> I created and modified these files:
> CA:
>
> root@pc:/home/marco# ls -lah /etc/ssl/private/fabric_ca.key
> -rw-r----- 1 root ssl-cert 1.8K Sep 30 14:50 /etc/ssl/private/fabric_ca.key
>
> (base) marco@pc:~$ ls -lah /usr/local/share/ca-certificates/fabric_ca.crt
> -rw-r--r-- 1 root root 1.3K Sep 30 15:43
> /usr/local/share/ca-certificates/fabric_ca.crt
>
> (base) marco@pc:~$ ls -lah /etc/ssl/certs/fabric_ca.pem
> lrwxrwxrwx 1 root root 46 Sep 30 15:45 /etc/ssl/certs/fabric_ca.pem ->
> /usr/local/share/ca-certificates/fabric_ca.crt
> (base) marco@pc:~$
>
> PostgreSQL-Server:
>
> (base) postgres@pc:~$ ls -lah /var/lib/postgresql/11/fabmnet/server.key
> -r-------- 1 postgres postgres 1.7K Sep 30 16:05
> /var/lib/postgresql/11/fabmnet/server.key
>
> (base) postgres@pc:~$ ls -lah /var/lib/postgresql/11/fabmnet/server.crt
> -rw-r--r-- 1 postgres postgres 1.2K Sep 30 16:34
> /var/lib/postgresql/11/fabmnet/server.crt
>
> (base) postgres@pc:~$ ls -lah /var/lib/postgresql/11/fabmnet/root.crt
> -rw------- 1 postgres postgres 1.4K Sep 30 13:39
> /var/lib/postgresql/11/fabmnet/root.crt
>
> (base) marco@pc:~$ ls -ltr /usr/local/share/ca-certificates/fabric_ca.crt
> -rw-r--r-- 1 root root 1302 Sep 30 15:43
> /usr/local/share/ca-certificates/fabric_ca.crt
>
> (base) marco@pc:~$ ls -ltr
> /usr/local/share/ca-certificates/fabric_ca_postgresql.crt
> -rw------- 1 root root 1354 Sep 30 17:12
> /usr/local/share/ca-certificates/fabric_ca_postgresql.crt
>
> (base) marco@pc:~$ ls -ltr /etc/ssl/certs/fabric_ca.pem
> lrwxrwxrwx 1 root root 46 Sep 30 15:45 /etc/ssl/certs/fabric_ca.pem ->
> /usr/local/share/ca-certificates/fabric_ca.crt
>
> (base) marco@pc:~$ ls -ltr /etc/ssl/certs/fabric_ca_postgresql.pem
> lrwxrwxrwx 1 root root 57 Sep 30 17:12
> /etc/ssl/certs/fabric_ca_postgresql.pem ->
> /usr/local/share/ca-certificates/fabric_ca_postgresql.crt
>
>
> I set /etc/postgresql/11/fabmnet/pg_hba.conf in this way:
>
>
> # Database administrative login by Unix domain socket
> local all postgres peer
>
> # TYPE DATABASE USER ADDRESS METHOD
>
> # "local" is for Unix domain socket connections only
> local all all peer
> # IPv4 local connections:
> host all all 127.0.0.1/32 md5
>
> # Allow connections from localhost only to fabmnet_ca for postgres user
> clientcert
> hostssl fabmnet_ca +ssl_fabric_ca_certusers 192.168.1.0/24
> cert clientcert=1
>
> # IPv6 local connections:
> host all all ::1/128 md5
> # Allow replication connections from localhost, by a user with the
> # replication privilege.
> local replication all peer
> host replication all 127.0.0.1/32 md5
> host replication all ::1/128 md5
>
> PostgreSQL-client :
>
> (base) marco@pc:~$ ls -ltr ~/.postgresql/root.crt
> -rw------- 1 postgres postgres 1354 Sep 30 17:22
> /home/marco/.postgresql/root.crt
>
> (base) marco@pc:~$ ls -ltr ~/.postgresql/postgresql.key
> -r-------- 1 postgres postgres 887 Sep 30 17:23
> /home/marco/.postgresql/postgresql.key
>
> (base) marco@pc:~$ ls -ltr ~/.postgresql/postgresql.crt
> -rw-r--r-- 1 postgres postgres 1001 Sep 30 17:25
> /home/marco/.postgresql/postgresql.crt
>
> If I put in fabric-ca-server-config.yaml:
>
> db:
> type: postgres
> datasource: host=localhost port=5433 user=postgres password=1234
> dbname=fabmnet_ca sslmode=require
> tls:
> enabled: true
> certfiles:
> client:
> certfile: /var/lib/postgresql/11/fabmnet/server.crt
> keyfile: /var/lib/postgresql/11/fabmnet/server.key
>
>
>
> (base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server init -b admin:adminpw
> 2019/09/30 17:54:02 [INFO] Configuration file location:
> /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
> 2019/09/30 17:54:02 [INFO] Server Version: 1.4.4
> 2019/09/30 17:54:02 [INFO] Server Levels: &{Identity:2 Affiliation:1
> Certificate:1 Credential:1 RAInfo:1 Nonce:1}
> 2019/09/30 17:54:02 [INFO] The CA key and certificate already exist
> 2019/09/30 17:54:02 [INFO] The key is stored by BCCSP provider 'SW'
> 2019/09/30 17:54:02 [INFO] The certificate is at:
> /home/marco/fabric/fabric-ca/ca-cert.pem
> 2019/09/30 17:54:02 [ERROR] Error occurred initializing database: No
> trusted root certificates for TLS were provided
> 2019/09/30 17:54:02 [INFO] Home directory for default CA:
> /home/marco/fabric/fabric-ca
> 2019/09/30 17:54:02 [INFO] Initialization was successful
>
> If I put in fabric-ca-server-config.yaml:
>
> db:
> type: postgres
> datasource: host=localhost port=5433 user=postgres password=1234
> dbname=fabmnet_ca sslmode=require
> tls:
> enabled: false
> certfiles:
> client:
> certfile:
> keyfile:
>
> (base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server init -b admin:adminpw
> 2019/09/30 17:56:22 [INFO] Configuration file location:
> /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
> 2019/09/30 17:56:22 [INFO] Server Version: 1.4.4
> 2019/09/30 17:56:22 [INFO] Server Levels: &{Identity:2 Affiliation:1
> Certificate:1 Credential:1 RAInfo:1 Nonce:1}
> 2019/09/30 17:56:22 [INFO] The CA key and certificate already exist
> 2019/09/30 17:56:22 [INFO] The key is stored by BCCSP provider 'SW'
> 2019/09/30 17:56:22 [INFO] The certificate is at:
> /home/marco/fabric/fabric-ca/ca-cert.pem
> 2019/09/30 17:56:22 [WARNING] Failed to connect to database 'fabmnet_ca'
> 2019/09/30 17:56:22 [WARNING] Failed to connect to database 'postgres'
> 2019/09/30 17:56:22 [WARNING] Failed to connect to database 'template1'
> 2019/09/30 17:56:22 [ERROR] Error occurred initializing database: Failed
> to connect to Postgres database. Postgres requires connecting to a specific
> database, the following databases were tried: [fabmnet_ca postgres
> template1]. Please create one of these database before continuing
> 2019/09/30 17:56:22 [INFO] Home directory for default CA:
> /home/marco/fabric/fabric-ca
> 2019/09/30 17:56:22 [INFO] Initialization was successful
>
> /var/log/postgresql/postgresql-11-fabmnet.log :
>
> 2019-09-30 17:56:22.760 CEST [10651] [unknown]@[unknown] LOG: incomplete
> startup packet
> 2019-09-30 17:56:22.760 CEST [10650] [unknown]@[unknown] LOG: incomplete
> startup packet
> 2019-09-30 17:56:22.760 CEST [10649] [unknown]@[unknown] LOG: incomplete
> startup packet
>
> What could it mean?
>
> Marco
>
> Il giorno sab 28 set 2019 alle ore 23:49 Adrian Klaver <
> adrian.klaver@aklaver.com> ha scritto:
>
>> On 9/28/19 12:07 AM, Marco Ippolito wrote:
>> > Hi Adrian,
>> >
>> > Il giorno ven 27 set 2019 alle ore 21:39 Adrian Klaver
>> > <adrian.klaver@aklaver.com <mailto:adrian.klaver@aklaver.com>> ha
>> scritto:
>> >
>> > On 9/27/19 11:02 AM, Marco Ippolito wrote:
>> > > Thank you very much Adrian.
>> > > Two things:
>> > >
>> > > 1)
>> > > Why if I just specify through port the cluster and the host
>> > connection
>> > > I connect correctly with SSL,
>> > > but if I specify also the database and the user it connects it
>> > doesn't
>> > > usel SSL connection, or at least it doesn't say it uses SSL? :
>> >
>> >
>> > Can you show the contents of pg_hba.conf file for the 11/fabmnet
>> > cluster. The file will be in:
>> >
>> > /etc/postgresql/11/fabmnet/
>> >
>> >
>> >
>> >
>> > /etc/postgresql/11/fabmnet/pg_hba.conf :
>> >
>> > # Database administrative login by Unix domain socket
>> > local all postgres peer
>> >
>> > # TYPE DATABASE USER ADDRESS METHOD
>> >
>> > # "local" is for Unix domain socket connections only
>> > local all all peer
>> > # IPv4 local connections:
>> > host all all 127.0.0.1/32 <http://127.0.0.1/32>
>>
>> > md5
>> >
>> > # Allow connections from localhost only to fabmnet_ca for postgres user
>> > hostssl fabmnet_ca postgres localhost cert
>> >
>> > # IPv6 local connections:
>> > host all all ::1/128 md5
>> > # Allow replication connections from localhost, by a user with the
>> > # replication privilege.
>> > local replication all peer
>> > host replication all 127.0.0.1/32 <http://127.0.0.1/32>
>>
>> > md5
>> > host replication all ::1/128 md5
>> >
>>
>> > fabric-ca-server-config.yaml : sslmode=require
>> > db:
>> > type: postgres
>> > datasource: host=localhost port=5433 user=postgres password=1234
>> > dbname=fabmnet_ca sslmode=require
>> > tls:
>> > enabled: false
>> > certfiles:
>> > client:
>> > certfile:
>> > keyfile:
>>
>> You are not including the certs or setting tls.enabled: true. Not sure
>> that is the root cause at the moment.
>>
>> I would try just going through psql for the time being to take the
>> fabric server out of the loop. Something like:
>>
>> psql "host=localhost port=5433 dbname=fabmnet_ca user=postgres
>> sslmode=require"
>>
>> From below I am guessing you do not have the SSL certs setup properly
>> for the fabmnet Postgres instance(the one on port 5433) and/or on the
>> client. Take a look at:
>>
>> https://www.postgresql.org/docs/11/libpq-ssl.html
>>
>> >
>> >
>> > (base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server init -b
>> admin:adminpw
>> > 2019/09/28 09:00:08 [INFO] Configuration file location:
>> > /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
>> > 2019/09/28 09:00:08 [INFO] Server Version: 1.4.4
>> > 2019/09/28 09:00:08 [INFO] Server Levels: &{Identity:2 Affiliation:1
>> > Certificate:1 Credential:1 RAInfo:1 Nonce:1}
>> > 2019/09/28 09:00:08 [INFO] The CA key and certificate already exist
>> > 2019/09/28 09:00:08 [INFO] The key is stored by BCCSP provider 'SW'
>> > 2019/09/28 09:00:08 [INFO] The certificate is at:
>> > /home/marco/fabric/fabric-ca/ca-cert.pem
>> > 2019/09/28 09:00:08 [WARNING] Failed to connect to database 'fabmnet_ca'
>> > 2019/09/28 09:00:08 [ERROR] Error occurred initializing database:
>> Failed
>> > to create Postgres tables: Error creating users table: pq: client
>> > certificates can only be checked if a root certificate store is
>> available
>> > 2019/09/28 09:00:08 [INFO] Home directory for default CA:
>> > /home/marco/fabric/fabric-ca
>> > 2019/09/28 09:00:08 [INFO] Initialization was successful
>> >
>> >
>> > /var/log/postgresql/postgresql-11-fabmnet.log :
>> >
>> > 2019-09-28 09:00:08.634 CEST [4226] postgres@fabmnet_ca FATAL: client
>> > certificates can only be checked if a root certificate store is
>> available
>> > 2019-09-28 09:00:08.641 CEST [4227] postgres@postgres ERROR: database
>> > "fabmnet_ca" already exists
>> > 2019-09-28 09:00:08.641 CEST [4227] postgres@postgres STATEMENT:
>> CREATE
>> > DATABASE fabmnet_ca
>> > 2019-09-28 09:00:08.644 CEST [4228] postgres@fabmnet_ca FATAL: client
>> > certificates can only be checked if a root certificate store is
>> available
>> > 2019-09-28 09:00:08.650 CEST [4227] postgres@postgres LOG: could not
>> > receive data from client: Connection reset by peer
>> >
>>
>>
>> --
>> Adrian Klaver
>> adrian.klaver@aklaver.com
>>
>
[Attachment #3 (text/html)]
<div dir="ltr"><div dir="ltr"><div>Hi Adrian,</div><div>important \
update.</div><div><br></div><div>After adding in fabric-ca-server-config.yaml \
<br></div><div><br></div><div>ca:<br> # Name of this CA<br> name: fabric_ca<br> \
# Key file (is only used to import a private key into BCCSP)<br> keyfile: \
/etc/ssl/private/fabric_ca.key<br> # Certificate file (default: ca-cert.pem)<br> \
certfile: /etc/ssl/certs/fabric_ca.pem<br> # Chain file<br> \
chainfile:</div><div><br></div><div>Now I get this \
message:</div><div><br></div><div>(base) marco@pc:~/fabric/fabric-ca$ \
fabric-ca-server init -b admin:adminpw<br>2019/09/30 18:10:41 [INFO] Configuration \
file location: /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml<br>2019/09/30 \
18:10:41 [INFO] Server Version: 1.4.4<br>2019/09/30 18:10:41 [INFO] Server Levels: \
&{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 \
Nonce:1}<br>2019/09/30 18:10:41 [INFO] The CA key and certificate files already \
exist<br>2019/09/30 18:10:41 [INFO] Key file location: \
/etc/ssl/private/fabric_ca.key<br>2019/09/30 18:10:41 [INFO] Certificate file \
location: /etc/ssl/certs/fabric_ca.pem<br>2019/09/30 18:10:41 [FATAL] Initialization \
failure: Validation of certificate and key failed: Invalid certificate in file \
'/etc/ssl/certs/fabric_ca.pem': No usage specified for \
certificate<br></div><div><br></div><div>This is the start of \
/etc/ssl/certs/fabric_ca.pem:</div><div><br></div><div>-----BEGIN \
CERTIFICATE-----<br>MIIDlTCCAn2gAwIBAgIUCm243lybs0PNfAEdgbuw0chmjWkwDQYJKoZIhvcNAQEL</div><div><br></div><div>and \
this is its end:</div><div>xNItFJulgsA1<br>-----END \
CERTIFICATE-----</div><div><br></div><div>What does it mean "No usage specified \
for certificate" ?</div><div><br></div></div><br><div class="gmail_quote"><div \
dir="ltr" class="gmail_attr">Il giorno lun 30 set 2019 alle ore 18:01 Marco Ippolito \
<<a href="mailto:ippolito.marco@gmail.com">ippolito.marco@gmail.com</a>> ha \
scritto:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
dir="ltr"><div>Following the indications found here: <a \
href="https://joelonsql.com/2013/04/27/securing-postgresql-using-hostssl-cert-clientcert1/" \
target="_blank">https://joelonsql.com/2013/04/27/securing-postgresql-using-hostssl-cert-clientcert1/</a></div><div>I \
created and modified these files:</div><div>CA:<br><br>root@pc:/home/marco# ls -lah \
/etc/ssl/private/fabric_ca.key <br>-rw-r----- 1 root ssl-cert 1.8K Sep 30 14:50 \
/etc/ssl/private/fabric_ca.key<br><br>(base) marco@pc:~$ ls -lah \
/usr/local/share/ca-certificates/fabric_ca.crt<br>-rw-r--r-- 1 root root 1.3K Sep 30 \
15:43 /usr/local/share/ca-certificates/fabric_ca.crt<br><br>(base) marco@pc:~$ ls \
-lah /etc/ssl/certs/fabric_ca.pem<br>lrwxrwxrwx 1 root root 46 Sep 30 15:45 \
/etc/ssl/certs/fabric_ca.pem -> \
/usr/local/share/ca-certificates/fabric_ca.crt<br>(base) marco@pc:~$ \
<br><br>PostgreSQL-Server:<br><br>(base) postgres@pc:~$ ls -lah \
/var/lib/postgresql/11/fabmnet/server.key<br>-r-------- 1 postgres postgres 1.7K Sep \
30 16:05 /var/lib/postgresql/11/fabmnet/server.key<br><br>(base) postgres@pc:~$ ls \
-lah /var/lib/postgresql/11/fabmnet/server.crt<br>-rw-r--r-- 1 postgres postgres 1.2K \
Sep 30 16:34 /var/lib/postgresql/11/fabmnet/server.crt<br><br>(base) postgres@pc:~$ \
ls -lah /var/lib/postgresql/11/fabmnet/root.crt<br>-rw------- 1 postgres postgres \
1.4K Sep 30 13:39 /var/lib/postgresql/11/fabmnet/root.crt<br><br>(base) marco@pc:~$ \
ls -ltr /usr/local/share/ca-certificates/fabric_ca.crt<br>-rw-r--r-- 1 root root 1302 \
Sep 30 15:43 /usr/local/share/ca-certificates/fabric_ca.crt<br><br>(base) marco@pc:~$ \
ls -ltr /usr/local/share/ca-certificates/fabric_ca_postgresql.crt<br>-rw------- 1 \
root root 1354 Sep 30 17:12 \
/usr/local/share/ca-certificates/fabric_ca_postgresql.crt<br><br>(base) marco@pc:~$ \
ls -ltr /etc/ssl/certs/fabric_ca.pem<br>lrwxrwxrwx 1 root root 46 Sep 30 15:45 \
/etc/ssl/certs/fabric_ca.pem -> \
/usr/local/share/ca-certificates/fabric_ca.crt<br><br>(base) marco@pc:~$ ls -ltr \
/etc/ssl/certs/fabric_ca_postgresql.pem<br>lrwxrwxrwx 1 root root 57 Sep 30 17:12 \
/etc/ssl/certs/fabric_ca_postgresql.pem -> \
/usr/local/share/ca-certificates/fabric_ca_postgresql.crt</div><div><br></div><div><br></div><div>I \
set /etc/postgresql/11/fabmnet/pg_hba.conf in this way:<br><br><br># Database \
administrative login by Unix domain socket<br>local all postgres \
peer<br><br># TYPE DATABASE USER ADDRESS \
METHOD<br><br># "local" is for Unix domain socket connections only<br>local \
all all \
peer<br># IPv4 local connections:<br>host all all \
<a href="http://127.0.0.1/32" target="_blank">127.0.0.1/32</a> \
md5<br><br># Allow connections from localhost only to fabmnet_ca for postgres user \
clientcert<br>hostssl fabmnet_ca +ssl_fabric_ca_certusers <a \
href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a> cert \
clientcert=1<br><br># IPv6 local connections:<br>host all all \
::1/128 md5<br># Allow replication connections from \
localhost, by a user with the<br># replication privilege.<br>local replication \
all peer<br>host \
replication all <a href="http://127.0.0.1/32" \
target="_blank">127.0.0.1/32</a> md5<br>host replication \
all ::1/128 \
md5</div><div><br></div><div>PostgreSQL-client :<br><br>(base) marco@pc:~$ ls -ltr \
~/.postgresql/root.crt<br>-rw------- 1 postgres postgres 1354 Sep 30 17:22 \
/home/marco/.postgresql/root.crt<br><br>(base) marco@pc:~$ ls -ltr \
~/.postgresql/postgresql.key<br>-r-------- 1 postgres postgres 887 Sep 30 17:23 \
/home/marco/.postgresql/postgresql.key<br><br>(base) marco@pc:~$ ls -ltr \
~/.postgresql/postgresql.crt<br>-rw-r--r-- 1 postgres postgres 1001 Sep 30 17:25 \
/home/marco/.postgresql/postgresql.crt</div><div><br></div><div>If I put in \
fabric-ca-server-config.yaml:<br><br>db:<br> type: postgres<br> datasource: \
host=localhost port=5433 user=postgres password=1234 dbname=fabmnet_ca \
sslmode=require<br> tls:<br> enabled: true<br> certfiles:<br> \
client:<br> certfile: /var/lib/postgresql/11/fabmnet/server.crt<br> \
keyfile: /var/lib/postgresql/11/fabmnet/server.key<br><br><br><br>(base) \
marco@pc:~/fabric/fabric-ca$ fabric-ca-server init -b admin:adminpw<br>2019/09/30 \
17:54:02 [INFO] Configuration file location: \
/home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml<br>2019/09/30 17:54:02 \
[INFO] Server Version: 1.4.4<br>2019/09/30 17:54:02 [INFO] Server Levels: \
&{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 \
Nonce:1}<br>2019/09/30 17:54:02 [INFO] The CA key and certificate already \
exist<br>2019/09/30 17:54:02 [INFO] The key is stored by BCCSP provider \
'SW'<br>2019/09/30 17:54:02 [INFO] The certificate is at: \
/home/marco/fabric/fabric-ca/ca-cert.pem<br>2019/09/30 17:54:02 [ERROR] Error \
occurred initializing database: No trusted root certificates for TLS were \
provided<br>2019/09/30 17:54:02 [INFO] Home directory for default CA: \
/home/marco/fabric/fabric-ca<br>2019/09/30 17:54:02 [INFO] Initialization was \
successful</div><div><br></div><div>If I put in \
fabric-ca-server-config.yaml:<br><br>db:<br> type: postgres<br> datasource: \
host=localhost port=5433 user=postgres password=1234 dbname=fabmnet_ca \
sslmode=require<br> tls:<br> enabled: false<br> certfiles:<br> \
client:<br> certfile:<br> keyfile:<br><br>(base) \
marco@pc:~/fabric/fabric-ca$ fabric-ca-server init -b admin:adminpw<br>2019/09/30 \
17:56:22 [INFO] Configuration file location: \
/home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml<br>2019/09/30 17:56:22 \
[INFO] Server Version: 1.4.4<br>2019/09/30 17:56:22 [INFO] Server Levels: \
&{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 \
Nonce:1}<br>2019/09/30 17:56:22 [INFO] The CA key and certificate already \
exist<br>2019/09/30 17:56:22 [INFO] The key is stored by BCCSP provider \
'SW'<br>2019/09/30 17:56:22 [INFO] The certificate is at: \
/home/marco/fabric/fabric-ca/ca-cert.pem<br>2019/09/30 17:56:22 [WARNING] Failed to \
connect to database 'fabmnet_ca'<br>2019/09/30 17:56:22 [WARNING] Failed to \
connect to database 'postgres'<br>2019/09/30 17:56:22 [WARNING] Failed to \
connect to database 'template1'<br>2019/09/30 17:56:22 [ERROR] Error occurred \
initializing database: Failed to connect to Postgres database. Postgres requires \
connecting to a specific database, the following databases were tried: [fabmnet_ca \
postgres template1]. Please create one of these database before \
continuing<br>2019/09/30 17:56:22 [INFO] Home directory for default CA: \
/home/marco/fabric/fabric-ca<br>2019/09/30 17:56:22 [INFO] Initialization was \
successful<br><br>/var/log/postgresql/postgresql-11-fabmnet.log :<br><br>2019-09-30 \
17:56:22.760 CEST [10651] [unknown]@[unknown] LOG: incomplete startup \
packet<br>2019-09-30 17:56:22.760 CEST [10650] [unknown]@[unknown] LOG: incomplete \
startup packet<br>2019-09-30 17:56:22.760 CEST [10649] [unknown]@[unknown] LOG: \
incomplete startup packet</div><div><br></div><div>What could it \
mean?</div><div><br></div><div>Marco<br></div></div><br><div class="gmail_quote"><div \
dir="ltr" class="gmail_attr">Il giorno sab 28 set 2019 alle ore 23:49 Adrian Klaver \
<<a href="mailto:adrian.klaver@aklaver.com" \
target="_blank">adrian.klaver@aklaver.com</a>> ha scritto:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">On 9/28/19 12:07 AM, Marco Ippolito wrote:<br> \
> Hi Adrian,<br> > <br>
> Il giorno ven 27 set 2019 alle ore 21:39 Adrian Klaver <br>
> <<a href="mailto:adrian.klaver@aklaver.com" \
target="_blank">adrian.klaver@aklaver.com</a> <mailto:<a \
href="mailto:adrian.klaver@aklaver.com" \
target="_blank">adrian.klaver@aklaver.com</a>>> ha scritto:<br> > <br>
> On 9/27/19 11:02 AM, Marco Ippolito wrote:<br>
> > Thank you very much Adrian.<br>
> > Two things:<br>
> ><br>
> > 1)<br>
> > Why if I just specify through port the cluster and the host<br>
> connection<br>
> > I connect correctly with SSL,<br>
> > but if I specify also the database and the user it connects \
it<br> > doesn't<br>
> > usel SSL connection, or at least it doesn't say it uses SSL? \
:<br> > <br>
> <br>
> Can you show the contents of pg_hba.conf file for the 11/fabmnet<br>
> cluster. The file will be in:<br>
> <br>
> /etc/postgresql/11/fabmnet/<br>
> <br>
> <br>
> <br>
> <br>
> /etc/postgresql/11/fabmnet/pg_hba.conf :<br>
> <br>
> # Database administrative login by Unix domain socket<br>
> local all postgres \
peer<br> > <br>
> # TYPE DATABASE USER ADDRESS \
METHOD<br> > <br>
> # "local" is for Unix domain socket connections only<br>
> local all all \
peer<br> > # IPv4 local connections:<br>
> host all all <a href="http://127.0.0.1/32" \
rel="noreferrer" target="_blank">127.0.0.1/32</a> <<a href="http://127.0.0.1/32" \
rel="noreferrer" target="_blank">http://127.0.0.1/32</a>> <br> \
> md5<br> > <br>
> # Allow connections from localhost only to fabmnet_ca for postgres user<br>
> hostssl fabmnet_ca postgres localhost \
cert<br> > <br>
> # IPv6 local connections:<br>
> host all all ::1/128 \
md5<br> > # Allow replication connections from localhost, by a user with the<br>
> # replication privilege.<br>
> local replication all \
peer<br> > host replication all <a href="http://127.0.0.1/32" \
rel="noreferrer" target="_blank">127.0.0.1/32</a> <<a href="http://127.0.0.1/32" \
rel="noreferrer" target="_blank">http://127.0.0.1/32</a>> <br> \
> md5<br> > host replication all ::1/128 \
md5<br> > <br>
<br>
> fabric-ca-server-config.yaml : sslmode=require<br>
> db:<br>
> type: postgres<br>
> datasource: host=localhost port=5433 user=postgres password=1234 <br>
> dbname=fabmnet_ca sslmode=require<br>
> tls:<br>
> enabled: false<br>
> certfiles:<br>
> client:<br>
> certfile:<br>
> keyfile:<br>
<br>
You are not including the certs or setting tls.enabled: true. Not sure <br>
that is the root cause at the moment.<br>
<br>
I would try just going through psql for the time being to take the <br>
fabric server out of the loop. Something like:<br>
<br>
psql "host=localhost port=5433 dbname=fabmnet_ca user=postgres <br>
sslmode=require"<br>
<br>
From below I am guessing you do not have the SSL certs setup properly <br>
for the fabmnet Postgres instance(the one on port 5433) and/or on the <br>
client. Take a look at:<br>
<br>
<a href="https://www.postgresql.org/docs/11/libpq-ssl.html" rel="noreferrer" \
target="_blank">https://www.postgresql.org/docs/11/libpq-ssl.html</a><br> <br>
> <br>
> <br>
> (base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server init -b admin:adminpw<br>
> 2019/09/28 09:00:08 [INFO] Configuration file location: <br>
> /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml<br>
> 2019/09/28 09:00:08 [INFO] Server Version: 1.4.4<br>
> 2019/09/28 09:00:08 [INFO] Server Levels: &{Identity:2 Affiliation:1 <br>
> Certificate:1 Credential:1 RAInfo:1 Nonce:1}<br>
> 2019/09/28 09:00:08 [INFO] The CA key and certificate already exist<br>
> 2019/09/28 09:00:08 [INFO] The key is stored by BCCSP provider 'SW'<br>
> 2019/09/28 09:00:08 [INFO] The certificate is at: <br>
> /home/marco/fabric/fabric-ca/ca-cert.pem<br>
> 2019/09/28 09:00:08 [WARNING] Failed to connect to database \
'fabmnet_ca'<br> > 2019/09/28 09:00:08 [ERROR] Error occurred initializing \
database: Failed <br> > to create Postgres tables: Error creating users table: pq: \
client <br> > certificates can only be checked if a root certificate store is \
available<br> > 2019/09/28 09:00:08 [INFO] Home directory for default CA: <br>
> /home/marco/fabric/fabric-ca<br>
> 2019/09/28 09:00:08 [INFO] Initialization was successful<br>
> <br>
> <br>
> /var/log/postgresql/postgresql-11-fabmnet.log :<br>
> <br>
> 2019-09-28 09:00:08.634 CEST [4226] postgres@fabmnet_ca FATAL: client <br>
> certificates can only be checked if a root certificate store is available<br>
> 2019-09-28 09:00:08.641 CEST [4227] postgres@postgres ERROR: database <br>
> "fabmnet_ca" already exists<br>
> 2019-09-28 09:00:08.641 CEST [4227] postgres@postgres STATEMENT: CREATE <br>
> DATABASE fabmnet_ca<br>
> 2019-09-28 09:00:08.644 CEST [4228] postgres@fabmnet_ca FATAL: client <br>
> certificates can only be checked if a root certificate store is available<br>
> 2019-09-28 09:00:08.650 CEST [4227] postgres@postgres LOG: could not <br>
> receive data from client: Connection reset by peer<br>
> <br>
<br>
<br>
-- <br>
Adrian Klaver<br>
<a href="mailto:adrian.klaver@aklaver.com" \
target="_blank">adrian.klaver@aklaver.com</a><br> </blockquote></div>
</blockquote></div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic