英文:
PostgreSQL in SSL mode returns 'server does not support SSL, but SSL was required'
问题
你好 
希望你一切都好!
我正在尝试在一个Postgres Docker容器和一个FastAPI容器之间启用SSL通信,但正如你从标题中可以看出,有些东西不起作用 :/
我阅读了文档,据说我已经按照要求设置了一切。例如:
-
我创建了根CA,然后使用根CA为Postgres服务器创建了密钥和签名证书。
-
我已经按照以下方式配置了postgresql.conf文件:
... 默认配置# - SSL -ssl = onssl_ca_file = '/var/lib/postgresql/data/root.crt'ssl_cert_file = '/var/lib/postgresql/data/server.crt'ssl_key_file = '/var/lib/postgresql/data/server.key'#ssl_crl_file = ''#ssl_crl_dir = ''#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers#ssl_prefer_server_ciphers = on#ssl_ecdh_curve = 'prime256v1'#ssl_min_protocol_version = 'TLSv1.2'#ssl_max_protocol_version = ''#ssl_dh_params_file = ''#ssl_passphrase_command = ''#ssl_passphrase_command_supports_reload = off... 默认配置
这是我的目录结构:
.├── docker-compose.yaml├── Dockerfile├── main.py├── postgresql.conf├── README.md├── ssl-client│ ├── root.crt│ ├── root.csr│ ├── root.key│ ├── server.crt│ ├── server.csr│ └── server.key└── ssl-server├── pgdata [error opening dir] -> 因为它使用了自己的用户(999)├── root.crt├── root.csr├── root.key├── server.crt├── server.csr└── server.key
这是我如何将所有内容传递给容器的方式:
version: '3.8'services:app:container_name: python-appbuild:context: .dockerfile: Dockerfileports:- '8000:80'depends_on:- postgresnetworks:- postgres-sslpostgres:container_name: postgresimage: postgres:latestenvironment:POSTGRES_USER: usernamePOSTGRES_PASSWORD: passwordPOSTGRES_DB: databasePGDATA: /var/lib/postgresql/data/pgdatavolumes:- ./postgresql.conf:/etc/postgresql/postgresql.conf- ./ssl-server:/var/lib/postgresql/data/ports:- '5432:5432'networks:- postgres-sslnetworks:postgres-ssl:name: postgres-ssl
最后,这是我的Python代码,尽管这里的一切都按预期工作,因为我得到了上面的错误:
from fastapi import FastAPI, HTTPExceptionfrom pydantic import BaseModelfrom sqlalchemy import create_enginefrom sqlalchemy.orm import sessionmakerfrom sqlalchemy.ext.declarative import declarative_basefrom sqlalchemy import Column, Integer, Stringfrom typing import Listapp = FastAPI()DATABASE_URL = "postgresql+psycopg2://username:password@postgres/database?sslmode=require"engine = create_engine(DATABASE_URL)SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)Base = declarative_base()def get_db():db = SessionLocal()try:yield dbfinally:db.close()class Student(Base):__tablename__ = 'students'id = Column(Integer, primary_key=True, nullable=False)name = Column(String, nullable=False)class StudentRequest(BaseModel):name: strclass Config:orm_mode = Trueclass StudentCreate(BaseModel):name :str@app.post("/items/", response_model=StudentRequest)def create_item(item: StudentCreate):db = SessionLocal()db_item = Student(**item.dict())db.add(db_item)db.commit()db.refresh(db_item)db.close()return db_item@app.get("/items/", response_model=List[StudentRequest])def get_items():db = SessionLocal()items = db.query(Student).all()db.close()return items@app.get("/")async def read_root():return {"message": "Hello, FastAPI with PostgreSQL using SSL!"}
如果我尝试通过将其挂载到相同的PGDATA路径来“覆盖”默认配置文件,我会得到一个错误:
这是这种情况下的docker-compose:
version: '3.8'services:app:container_name: python-appbuild:context: .dockerfile: Dockerfileports:- '8000:80'depends_on:- postgresnetworks:- postgres-sslpostgres:container_name: postgresimage: postgres:latestenvironment:POSTGRES_USER: usernamePOSTGRES_PASSWORD: passwordPOSTGRES_DB: databasePGDATA: /etc/postgresql/datavolumes:- ./postgresql.conf:/etc/postgresql/data/postgresql.conf- ./ssl-server:/etc/postgresql/data/ssl-serverports:- '5432:5432'networks:- postgres-sslnetworks:postgres-ssl:name: postgres-ssl
以及我在启动时收到的错误:
postgres | The files belonging to this database system will be owned by user "postgres".postgres | This user must also own the server process.postgres |postgres |postgres | The database cluster will be initialized with locale "en_US.utf8".postgres | The default database encoding has accordingly been set to "UTF8".postgres | The default text search configuration will be set to "english".postgres |postgres | Data page checksums are disabled.postgres |postgres |postgres | initdb: error: directory "/etc/postgresql/data" exists but is not emptypostgres | initdb: hint: If you want to create a new database system, either remove or empty the directory "/etc/postgresql/data" or run initdb with an argument other than "/etc/postgresql/data".postgres exited with code 1
我在这里漏掉了什么吗?为什么这不会设置SSL连接? :/
我非常困惑,如果你能在这里帮助我,我将非常非常感激!
提前谢谢你,祝你有美好的一天!
英文:
Hi Hope you're doing great!
I a trying to enable SSL communications between a Postgres docker container and a FastAPI container, however as you can tell from the title, something is not working :/
I read the documentation and supposedly I have set up everything accordingly. For instance:
-
I created the root CA, and then a key and signed cert for the postgres server with the root CA.
-
I have configured the postgresql.conf file in this manner:
... defaults# - SSL -ssl = onssl_ca_file = '/var/lib/postgresql/data/root.crt'ssl_cert_file = '/var/lib/postgresql/data/server.crt'ssl_key_file = '/var/lib/postgresql/data/server.key'#ssl_crl_file = ''#ssl_crl_dir = ''#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers#ssl_prefer_server_ciphers = on#ssl_ecdh_curve = 'prime256v1'#ssl_min_protocol_version = 'TLSv1.2'#ssl_max_protocol_version = ''#ssl_dh_params_file = ''#ssl_passphrase_command = ''#ssl_passphrase_command_supports_reload = off... defaults
This is what my tree looks like:
.├── docker-compose.yaml├── Dockerfile├── main.py├── postgresql.conf├── README.md├── ssl-client│   ├── root.crt│   ├── root.csr│   ├── root.key│   ├── server.crt│   ├── server.csr│   └── server.key└── ssl-server├── pgdata [error opening dir] -> because it is using its own user (999)├── root.crt├── root.csr├── root.key├── server.crt├── server.csr└── server.key
and this is how I am passing everything to the container:
version: '3.8'services:app:container_name: python-appbuild:context: .dockerfile: Dockerfileports:- '8000:80'depends_on:- postgresnetworks:- postgres-sslpostgres:container_name: postgresimage: postgres:latestenvironment:POSTGRES_USER: usernamePOSTGRES_PASSWORD: passwordPOSTGRES_DB: databasePGDATA: /var/lib/postgresql/data/pgdatavolumes:- ./postgresql.conf:/etc/postgresql/postgresql.conf- ./ssl-server:/var/lib/postgresql/data/ports:- '5432:5432'networks:- postgres-sslnetworks:postgres-ssl:name: postgres-ssl
Lastly, here is my python code, although everything is working as expected here, as I am getting the error above:
from fastapi import FastAPI, HTTPExceptionfrom pydantic import BaseModelfrom sqlalchemy import create_enginefrom sqlalchemy.orm import sessionmakerfrom sqlalchemy.ext.declarative import declarative_basefrom sqlalchemy import Column, Integer, Stringfrom typing import Listapp = FastAPI()DATABASE_URL = "postgresql+psycopg2://username:password@postgres/database?sslmode=require"engine = create_engine(DATABASE_URL)SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)Base = declarative_base()def get_db():db = SessionLocal()try:yield dbfinally:db.close()class Student(Base):__tablename__ = 'students'id = Column(Integer, primary_key=True, nullable=False)name = Column(String, nullable=False)class StudentRequest(BaseModel):name: strclass Config:orm_mode = Trueclass StudentCreate(BaseModel):name :str@app.post("/items/", response_model=StudentRequest)def create_item(item: StudentCreate):db = SessionLocal()db_item = Student(**item.dict())db.add(db_item)db.commit()db.refresh(db_item)db.close()return db_item@app.get("/items/", response_model=List[StudentRequest])def get_items():db = SessionLocal()items = db.query(Student).all()db.close()return items@app.get("/")async def read_root():return {"message": "Hello, FastAPI with PostgreSQL using SSL!"}
If I try to 'override' the default configuration file by mounting it in the same PGDATA path, I get an error:
Here is the docker-compose for this case:
version: '3.8'services:app:container_name: python-appbuild:context: .dockerfile: Dockerfileports:- '8000:80'depends_on:- postgresnetworks:- postgres-sslpostgres:container_name: postgresimage: postgres:latestenvironment:POSTGRES_USER: usernamePOSTGRES_PASSWORD: passwordPOSTGRES_DB: databasePGDATA: /etc/postgresql/datavolumes:- ./postgresql.conf:/etc/postgresql/data/postgresql.conf- ./ssl-server:/etc/postgresql/data/ssl-serverports:- '5432:5432'networks:- postgres-sslnetworks:postgres-ssl:name: postgres-ssl
And the error I get at startup:
postgres | The files belonging to this database system will be owned by user "postgres".postgres | This user must also own the server process.postgres |postgres |postgres | The database cluster will be initialized with locale "en_US.utf8".postgres | The default database encoding has accordingly been set to "UTF8".postgres | The default text search configuration will be set to "english".postgres |postgres | Data page checksums are disabled.postgres |postgres |postgres | initdb: error: directory "/etc/postgresql/data" exists but is not emptypostgres | initdb: hint: If you want to create a new database system, either remove or empty the directory "/etc/postgresql/data" or run initdb with an argument other than "/etc/postgresql/data".postgres exited with code 1
Am I missing something here? How come this is not setting up SSL connections? :/
I am very confused honestly, if you could help me out here, it would be very, very much appreciated!
Thank you in advance and have a wonderful day!
答案1
得分: 1
如果PGDATA设置为/var/lib/postgresql/data/pgdata,那么将自定义配置文件放在/etc/postgresql/中是没有任何作用的。它只会忽略该文件并使用默认配置。
此外,证书和其他内容需要放在PGDATA目录内,而不是与其同级。
英文:
If PGDATA is set to /var/lib/postgresql/data/pgdata, then putting your custom config file in /etc/postgresql/ isn't going to do anything. It will just ignore it and use the default.
Furthermore, the certs and stuff need to be inside PGDATA, not siblings to it.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论