The ticket : https://tickets.puppetlabs.com/browse/PDB-765
I leave the documentation pull for people more fluent than me in english. Le 17 juil. 2014 à 16:01, Ken Barber <[email protected]> a écrit : > Aah well done :-). > > Perhaps you can create a ticket with these details in it, that way it > will be preserved for other users and we can later find some time to > extend the current docs: > > https://tickets.puppetlabs.com/browse/PDB > > Of course you can always raise a pull request with the doc changes > yourself, if thats possible it would be greatly appreciated :-). > > https://github.com/puppetlabs/puppetdb/blob/master/documentation/postgres_ssl.markdown > > ken. > > On Thu, Jul 17, 2014 at 12:03 PM, Fabrice Bacchella > <[email protected]> wrote: >> I got it ! >> >> I dit it using the java way (with a standard jks). >> >> First create a jks with the private key for your account and put in it all >> the needed certificates in the chain (both server and user). The cn for user >> certificate should match the username used latter. >> >> Add to your JVM args : >> -Djavax.net.ssl.trustStore=.../puppetdb.jks >> -Djavax.net.ssl.trustStorePassword=<JKS password> >> -Djavax.net.ssl.keyStore=.../puppetdb.jks >> -Djavax.net.ssl.keyStorePassword=<JKS password> >> >> In case of problems, "-Djavax.net.debug=ssl,defaultctx" might help. >> My database.ini is : >> [database] >> classname = org.postgresql.Driver >> subprotocol = postgresql >> subname = //localhost:5432/puppetdb?ssl=true >> log-slow-statements = 10 >> username = puppetdb >> >> In pg_hba.conf, I added : >> hostssl all all 0.0.0.0/0 cert clientcert=1 >> >> And in postgresql.conf : >> ssl = on >> ssl_cert_file = 'server.crt' >> ssl_key_file = 'server.key' >> ssl_ca_file = 'root.crt' >> >> The file root.crt contains all the needed certificates (both client and >> server) >> The file server.crt contains only the server certificate >> The file server.key contains the private key. >> >> Those 3 files are stored as PEM files. >> >> org.postgresql.ssl.LibPQFactory is used if you want to mimic the psql client >> configuration and use PEM files instead of JKS, and it take the same >> arguments, some documentation can be found at : >> http://www.postgresql.org/docs/8.4/static/libpq-connect.html#LIBPQ-CONNECT-SSLMODE >> >> >> Le 16 juil. 2014 à 17:05, Ken Barber <[email protected]> a écrit : >> >>> I wrote that document, at the time client based certificates weren't >>> really supported or something like that. >>> >>> Specifically not supporting client auth is hinted in the JDBC driver >>> details here: http://jdbc.postgresql.org/documentation/head/ssl-factory.html >>> >>> I seem to recall there being a problem with the current default >>> SslFactory not allowing this kind of thing easily, but there is an >>> alternate factory one can possibly use: >>> >>> https://github.com/pgjdbc/pgjdbc/blob/master/org/postgresql/ssl/jdbc4/LibPQFactory.java >>> >>> Sorry, the main documentation page doesn't contain details of this >>> class, its fairly unknown to most people - I had to go digging for it >>> in source to find it. >>> >>> This should in theory allow one to provide parameters in the JDBC url >>> to provide a client certificate, but I've never seen it working yet >>> (and we may not even ship a version of the jdbc driver that has this >>> class :-). >>> >>> The parameters gleaned from the source are: >>> >>> sslmode,sslcert,sslkey,sslrootcert,sslhostnameverifier,sslpasswordcallback,sslpassword >>> >>> So you could construct something like: >>> >>> [database] >>> classname = org.postgresql.Driver >>> subprotocol = postgresql >>> subname = >>> //<HOST>:<PORT>/<DATABASE>?ssl=true&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=<whatever>&sslcert=<whatever> >>> ... etc ... >>> username = <USERNAME> >>> password = <PASSWORD> >>> >>> But the details are something I'm not across sorry, you'll have to >>> experiment on your own :-). Respond if you need more help, or if you >>> make more progress. >>> >>> ken. >>> >>> On Wed, Jul 16, 2014 at 3:40 PM, Fabrice Bacchella >>> <[email protected]> wrote: >>>> I'm trying to authenticate a puppetdb on a postgresql server using a >>>> client certificate. >>>> >>>> I managed to set up SSL on server side without any problem but >>>> http://docs.puppetlabs.com/puppetdb/2.1/postgres_ssl.html says : >>>> Note: At this point the documentation below only covers server-based SSL, >>>> client certificate support is not documented. >>>> >>>> So did someone with a better knowledge of the postgresql jdbc connector >>>> did try this and succeed ? >>>> >>>> -- >>>> You received this message because you are subscribed to the Google Groups >>>> "Puppet Users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/puppet-users/1082A318-AA8C-4C47-BAE9-4A980DD1D4D6%40spamcop.net. >>>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Puppet Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/puppet-users/CAE4bNTkEqRYWCJQ8JgFBPX8F9A-ZgkD5h5Pxn7_3foHCa5BWgw%40mail.gmail.com. >>> For more options, visit https://groups.google.com/d/optout. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/2A284464-F69A-45D5-B3D6-DC68A7CA8AF2%40spamcop.net. >> For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/CAE4bNT%3DcTSzyuPeBj_b5S499PdK0qtVVt1OYWSm6a4jmdh-Gjw%40mail.gmail.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5EE6D73D-8E83-4261-8797-88C2F9A6C14C%40spamcop.net. For more options, visit https://groups.google.com/d/optout.
