Thread: BUG #5008: Server Startup Problem - When server is configured for SSL

BUG #5008: Server Startup Problem - When server is configured for SSL

From
"Jalaj Negi"
Date:
The following bug has been logged online:

Bug reference:      5008
Logged by:          Jalaj Negi
Email address:      jalajsinghnegi@gmail.com
PostgreSQL version: 8.4.0
Operating system:   Windows XP with SP3
Description:        Server Startup Problem - When server is configured for
SSL
Details:

I am running PostgreSQL version 8.4.0 on Windows XP machine with SP3. I
installed using Win32 Installer Package and the server runs as a service and
a service account was automatically created by the Win32 installer package
during server installation.

With default configuration the server was running fine and took minimal time
to start up (2-3 seconds). But when I configured server for SSL and
restarted server it took long time to start up (3-4 minutes) and displayed
the following startup message.


Startup Message
=====================================================
The PostgreSQL Server 8.4 service is
starting...................................
..
The PostgreSQL Server 8.4 service could not be started.

The service did not report an error.

More help is available by typing NET HELPMSG 3534.

The start command returned an error (2)

Press <return> to continue...
=====================================================


Exact Steps
=====================================================
1) Stopped the server.

2) Made following changes in configuration files for enabling SSL support.

In pg_hba.conf I have only following one entry -
hostssl all  all  127.0.0.1/32  md5 clientcert=1

In postgresql.conf I made following changes -
ssl = on
ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'

Added server.crt, server.key, root.crt, root.crl in servers data directory.

3) Started the server.
=====================================================


Few Observations
=====================================================
1) When server starts with default configuration (without SSL configuration
changes) following process are created and running in system - pg_ctl.exe (1
instance), postgres.exe (6 instances).

2) When server starts with SSL configuration changes following process are
created and running in system - postgres.exe (6 instances). This time
pg_ctl.exe process is absent.

3) Server starts properly when "clientcert=1" is removed from pg_hba.conf
file. But if we want server to request client certificates we cant remove
clientcert parameter from pg_hba.conf file.
=====================================================

Re: BUG #5008: Server Startup Problem - When server is configured for SSL

From
Magnus Hagander
Date:
On Tue, Aug 25, 2009 at 08:11, Jalaj Negi<jalajsinghnegi@gmail.com> wrote:
>
> The following bug has been logged online:
>
> Bug reference: =A0 =A0 =A05008
> Logged by: =A0 =A0 =A0 =A0 =A0Jalaj Negi
> Email address: =A0 =A0 =A0jalajsinghnegi@gmail.com
> PostgreSQL version: 8.4.0
> Operating system: =A0 Windows XP with SP3
> Description: =A0 =A0 =A0 =A0Server Startup Problem - When server is confi=
gured for
> SSL
> Details:
>
> I am running PostgreSQL version 8.4.0 on Windows XP machine with SP3. I
> installed using Win32 Installer Package and the server runs as a service =
and
> a service account was automatically created by the Win32 installer package
> during server installation.
>
> With default configuration the server was running fine and took minimal t=
ime
> to start up (2-3 seconds). But when I configured server for SSL and
> restarted server it took long time to start up (3-4 minutes) and displayed
> the following startup message.
>
>
> Startup Message
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
> The PostgreSQL Server 8.4 service is
> starting...................................
> ..
> The PostgreSQL Server 8.4 service could not be started.
>
> The service did not report an error.
>
> More help is available by typing NET HELPMSG 3534.
>
> The start command returned an error (2)
>
> Press <return> to continue...
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
>
>
> Exact Steps
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
> 1) Stopped the server.
>
> 2) Made following changes in configuration files for enabling SSL support.
>
> In pg_hba.conf I have only following one entry -
> hostssl all =A0all =A0127.0.0.1/32 =A0md5 clientcert=3D1
>
> In postgresql.conf I made following changes -
> ssl =3D on
> ssl_ciphers =3D 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'
>
> Added server.crt, server.key, root.crt, root.crl in servers data director=
y.
>
> 3) Started the server.
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
>
>
> Few Observations
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
> 1) When server starts with default configuration (without SSL configurati=
on
> changes) following process are created and running in system - pg_ctl.exe=
 (1
> instance), postgres.exe (6 instances).
>
> 2) When server starts with SSL configuration changes following process are
> created and running in system - postgres.exe (6 instances). This time
> pg_ctl.exe process is absent.
>
> 3) Server starts properly when "clientcert=3D1" is removed from pg_hba.co=
nf
> file. But if we want server to request client certificates we cant remove
> clientcert parameter from pg_hba.conf file.

What's in the log? Check both the PostgreSQL logfile and the Windows eventl=
og.

--=20
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

Re: BUG #5008: Server Startup Problem - When server is configured for SSL

From
Magnus Hagander
Date:
On Wed, Aug 26, 2009 at 08:47, Jalaj Negi<jalajsinghnegi@gmail.com> wrote:
> Hello, following is PostgreSQL log file.
> I have no certificate to revoke so I havent placed any "root.crl" file in
> servers data directory.
>
> Log File
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> 2009-08-26 11:58:32 ISTLOG:=A0 SSL certificate revocation list file "root=
.crl"
> not found, skipping: No such file or directory
> 2009-08-26 11:58:32 ISTDETAIL:=A0 Certificates will not be checked against
> revocation list.
> 2009-08-26 11:58:32 ISTLOG:=A0 database system was shut down at 2009-08-26
> 11:56:56 IST
> 2009-08-26 11:58:32 ISTFATAL:=A0 the database system is starting up
> 2009-08-26 11:58:34 ISTLOG:=A0 database system is ready to accept connect=
ions
> 2009-08-26 11:58:34 ISTLOG:=A0 SSL certificate revocation list file "root=
.crl"
> not found, skipping: No such file or directory
> 2009-08-26 11:58:34 ISTDETAIL:=A0 Certificates will not be checked against
> revocation list.
> 2009-08-26 11:58:34 ISTFATAL:=A0 the database system is starting up
> 2009-08-26 11:58:39 ISTLOG:=A0 autovacuum launcher started
> 2009-08-26 11:58:39 ISTLOG:=A0 SSL certificate revocation list file "root=
.crl"
> not found, skipping: No such file or directory
> 2009-08-26 11:58:39 ISTDETAIL:=A0 Certificates will not be checked against
> revocation list.
> 2009-08-26 11:58:39 ISTFATAL:=A0 connection requires a valid client
> certificate

<snip>

I think this indicates that pg_ctl is trying to connect to the
database just to see if it's running, but you have set it to require
SSL certificate on connections from localhost. Could that be so? If
so, try setting the requirement for certificates only on non-localhost
addresses and see if it starts up properly in that case.

--=20
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/
Magnus Hagander <magnus@hagander.net> writes:
> I think this indicates that pg_ctl is trying to connect to the
> database just to see if it's running, but you have set it to require
> SSL certificate on connections from localhost. Could that be so? If
> so, try setting the requirement for certificates only on non-localhost
> addresses and see if it starts up properly in that case.

Hmm, seems like we should modify pg_ctl's probe code to set
sslmode = disable.  Letting that default just provides an additional
way to fail ...

            regards, tom lane

Re: BUG #5008: Server Startup Problem - When server is configured for SSL

From
Magnus Hagander
Date:
On Wed, Aug 26, 2009 at 15:30, Tom Lane<tgl@sss.pgh.pa.us> wrote:
> Magnus Hagander <magnus@hagander.net> writes:
>> I think this indicates that pg_ctl is trying to connect to the
>> database just to see if it's running, but you have set it to require
>> SSL certificate on connections from localhost. Could that be so? If
>> so, try setting the requirement for certificates only on non-localhost
>> addresses and see if it starts up properly in that case.
>
> Hmm, seems like we should modify pg_ctl's probe code to set
> sslmode =3D disable. =A0Letting that default just provides an additional
> way to fail ...

Um. If we modify it, it should be to sslmode=3Dallow. Not "disable".
(*ahem* to what would be a reasonable defualt for libpq in general :P)

But that will still fail if the user has set it up to require a client
certificate.


--=20
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/
Magnus Hagander <magnus@hagander.net> writes:
> But that will still fail if the user has set it up to require a client
> certificate.

But not till it gets to the pg_hba checks.  We might need to have some
variant on PQrequiresPassword to detect that failure type, but we'll
already know what we need to.

This still points up the value of adding an actual "ping" interface to
the protocol, though.

            regards, tom lane

Re: BUG #5008: Server Startup Problem - When server is configured for SSL

From
Magnus Hagander
Date:
On Wed, Aug 26, 2009 at 15:57, Tom Lane<tgl@sss.pgh.pa.us> wrote:
> Magnus Hagander <magnus@hagander.net> writes:
>> But that will still fail if the user has set it up to require a client
>> certificate.
>
> But not till it gets to the pg_hba checks. =A0We might need to have some

How would that be different from what we have now? sslmode=3Dprefer will
still allow both ssl and non-ssl connection. It won't kick you out
until you reach the hba processing, will it?

> variant on PQrequiresPassword to detect that failure type, but we'll
> already know what we need to.
>
> This still points up the value of adding an actual "ping" interface to
> the protocol, though.

Agreed.

--=20
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/
Magnus Hagander <magnus@hagander.net> writes:
> On Wed, Aug 26, 2009 at 15:57, Tom Lane<tgl@sss.pgh.pa.us> wrote:
>> Magnus Hagander <magnus@hagander.net> writes:
>>> But that will still fail if the user has set it up to require a client
>>> certificate.
>>
>> But not till it gets to the pg_hba checks.  We might need to have some

> How would that be different from what we have now? sslmode=prefer will
> still allow both ssl and non-ssl connection. It won't kick you out
> until you reach the hba processing, will it?

Hm, will it retry if the ssl setup step fails?  If so it'd be all right,
but it's still a waste of cycles ...

            regards, tom lane

Re: BUG #5008: Server Startup Problem - When server is configured for SSL

From
Magnus Hagander
Date:
On Wed, Aug 26, 2009 at 22:47, Tom Lane<tgl@sss.pgh.pa.us> wrote:
> Magnus Hagander <magnus@hagander.net> writes:
>> On Wed, Aug 26, 2009 at 15:57, Tom Lane<tgl@sss.pgh.pa.us> wrote:
>>> Magnus Hagander <magnus@hagander.net> writes:
>>>> But that will still fail if the user has set it up to require a client
>>>> certificate.
>>>
>>> But not till it gets to the pg_hba checks. =A0We might need to have some
>
>> How would that be different from what we have now? sslmode=3Dprefer will
>> still allow both ssl and non-ssl connection. It won't kick you out
>> until you reach the hba processing, will it?
>
> Hm, will it retry if the ssl setup step fails? =A0If so it'd be all right,
> but it's still a waste of cycles ...

Yes, that's the difference between prefer and require.

I think the main issue is that test_postmaster_connection() only
accepts two cases - successful login and password prompt. It would
have similar issues with say an ident mismatch, or loopback
connections configured for kerberos.


--=20
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

Re: BUG #5008: Server Startup Problem - When server is configured for SSL

From
Jalaj Negi
Date:
Hi,
I tried by setting the requirement for certificates only on non-localhost
addresses. It works perfectly fine in that case.
Whats the solution in case of requesting client certificates on localhost
connection?

One temporary solution I found for above question is to set PGSSLCERT,
PGSSLKEY, PGSSLROOTCERT, PGSSLCRL
as system environment variables and let them point to valid client
certificate, key, root certificate and crl. Then I rebooted
my windows machine and database server started perfectly fine.
Is this solution fine or some fix is needed in code?

regards,
jalaj negi



========================================================
Magnus Hagander to me, pgsql-bugs
show details Aug 26 (1 day ago)

I think this indicates that pg_ctl is trying to connect to the
database just to see if it's running, but you have set it to require
SSL certificate on connections from localhost. Could that be so? If
so, try setting the requirement for certificates only on non-localhost
addresses and see if it starts up properly in that case.
========================================================


On Thu, Aug 27, 2009 at 12:30 PM, Magnus Hagander <magnus@hagander.net>wrote:

> On Wed, Aug 26, 2009 at 22:47, Tom Lane<tgl@sss.pgh.pa.us> wrote:
> > Magnus Hagander <magnus@hagander.net> writes:
> >> On Wed, Aug 26, 2009 at 15:57, Tom Lane<tgl@sss.pgh.pa.us> wrote:
> >>> Magnus Hagander <magnus@hagander.net> writes:
> >>>> But that will still fail if the user has set it up to require a client
> >>>> certificate.
> >>>
> >>> But not till it gets to the pg_hba checks.  We might need to have some
> >
> >> How would that be different from what we have now? sslmode=prefer will
> >> still allow both ssl and non-ssl connection. It won't kick you out
> >> until you reach the hba processing, will it?
> >
> > Hm, will it retry if the ssl setup step fails?  If so it'd be all right,
> > but it's still a waste of cycles ...
>
> Yes, that's the difference between prefer and require.
>
> I think the main issue is that test_postmaster_connection() only
> accepts two cases - successful login and password prompt. It would
> have similar issues with say an ident mismatch, or loopback
> connections configured for kerberos.
>
>
> --
>  Magnus Hagander
>  Me: http://www.hagander.net/
>  Work: http://www.redpill-linpro.com/
>

Re: BUG #5008: Server Startup Problem - When server is configured for SSL

From
Magnus Hagander
Date:
2009/8/27 Jalaj Negi <jalajsinghnegi@gmail.com>:
> Hi,
> I tried by setting the requirement for certificates only on non-localhost addresses. It works perfectly fine in that
case.
> Whats the solution in case of requesting client certificates on localhost connection?
>
> One temporary solution I found for above question is to set PGSSLCERT, PGSSLKEY, PGSSLROOTCERT, PGSSLCRL
> as system environment variables and let them point to valid client certificate, key, root certificate and crl. Then I
rebooted
> my windows machine and database server started perfectly fine.
> Is this solution fine or some fix is needed in code?

I think that qualifies as a workaround, but we need to find a proper
solution. If that takes an API change (the discussions about a "ping"
function), that's not going to be until 8.5 though.

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/