Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tell postgres client to use OS cert bundle for ssl root keys #341

Merged
merged 1 commit into from
Jan 26, 2022

Conversation

kbrock
Copy link
Member

@kbrock kbrock commented Nov 19, 2021

Goal

Part of larger PR ManageIQ/manageiq#20394

Enables:

Transitioning from root to other users means we don't store key configuration files in /root
Luckily, the operating system has a mechanism for storing ca certs in a centralized location.

This PR is focused on connecting to the database and encrypting traffic using ssl.

Before

After

  • appliances (and pods) put the self signed cert and/or company CA cert into /etc/pki/tis/certs/ca-bundle.crt
  • works for root and manageiq usersl
  • removes extra configuration step in orchestrator since postgres (libpg) will pick it up from /etc.

Appliance Reproduction steps

echo PGSSLROOTCERT=/etc/pki/tls/certs/ca-bundle.crt > /etc/default/miq.properties
source /etc/default/evm
rm -rf ~/.postgresql # nothing up my sleeves.

# #include(setup db with self signed ca cert) note: cert hostname must be $DATABASE
DATABASE=db-appliance

#echo "$DATABASE 127.0.0.1" > /etc/hosts
#cp /var/www/miq/vmdb/certs/root.crt /etc/pki/ca-trust/source/$DATABASE
scp root@$DATABASE:/var/www/miq/vmdb/certs/root.crt /etc/pki/ca-trust/source/$DATABASE

update-ca-trust extract

PGSSLMODE=verify-full psql -h $DATABASE -d vmdb_production

Bibliography

Whether a company wants connect to the database using ssl for self signed certs
or for a company CA, we want to have the library just use the standard operating
system mechanism (OS cert bundle)

If this were not set, then we would need to install the database certificate
and put into the ~/.postgres/root.crt for root and manageiq (and any other users
that come down the line)
@miq-bot
Copy link
Member

miq-bot commented Nov 19, 2021

Checked commit kbrock@59c68f2 with ruby 2.6.3, rubocop 1.13.0, haml-lint 0.35.0, and yamllint
0 files checked, 0 offenses detected
Everything looks fine. 👍

@kbrock kbrock changed the title tell postgres to use os cert bundle [WIP] Tell postgres to use OS cert bundle for ssl root keys Nov 24, 2021
@kbrock
Copy link
Member Author

kbrock commented Nov 24, 2021

WIP: need to walk through this with someone to understand my rational behind a few decisions.
Need to verify it works with pods (if anything, we should delete stuff from there)

this is working for me on a single appliance

@kbrock
Copy link
Member Author

kbrock commented Dec 6, 2021

UNWIP: this will not affect pods.

It does affect existing appliance installations that have ssl database set this up. I think all appliance upgrades (not rpm upgrades) will need to setup the database again anyway.

But I put that assumption in ink so others can point to my errors now and in the future.

@kbrock kbrock removed the wip label Dec 6, 2021
@kbrock kbrock changed the title [WIP] Tell postgres to use OS cert bundle for ssl root keys Tell postgres to use OS cert bundle for ssl root keys Dec 7, 2021
@kbrock kbrock changed the title Tell postgres to use OS cert bundle for ssl root keys Tell postgres client to use OS cert bundle for ssl root keys Dec 7, 2021
@jrafanie
Copy link
Member

LGTM, @bdunne can you review/merge? It makes sense to me to not store the keys in the /root and instead somewhere else. As long as a non-root user has proper access to /etc/pki/tls/certs/ca-bundle.crt, I think this makes sense.

@bdunne bdunne merged commit 97a0af1 into ManageIQ:master Jan 26, 2022
@kbrock kbrock deleted the os_cert_bundle branch February 8, 2022 02:06
@kbrock
Copy link
Member Author

kbrock commented Feb 8, 2022

Sorry all. thank you for merging @bdunne but looks like this is only good after someone configures the appliance to use certificates

agrare added a commit to agrare/manageiq-appliance that referenced this pull request Feb 8, 2022
This reverts commit 97a0af1, reversing
changes made to 6155afe.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants