Thread: Postgres won't start after setting ssl=on
Hi, I'm trying to require SSL for Postgres connections from certain IPs.. This is on Postgres 9.0. First, I've followed the directions at: http://www.postgresql.org/docs/9.0/static/ssl-tcp.html I've created the files server.crt and server.key. I've also removed the passphrase from the key so Postgres can start automatically. Finally, I ran: chmod 0600 server.key The permissions on server.key are now: -rw------- 1 root root 887 Oct 10 03:42 server.key However, when I set ssl = on in postgresql.conf and start the server, I get the logged error: 2010-10-10 03:47:07 UTC FATAL: could not load private key file "server.key": Permission denied I'm logged on as root. Any ideas? Thanks! Mike
The private keys needs to be readable by the same user the server runs under. This is distribution-dependent and may not be 'root'.
In my case I run Red Hat which uses the 'postgres' user, so:
chown postgres.postgres /var/lib/pgsql/data/server.*
--
-------------------------------------------------------------------------------------------------------------------------------------------------------
"Because it that the times revive as time is fresh somehow, and it to feel wins why, and, as for it, all forget an old thing" - Japanese saying
In my case I run Red Hat which uses the 'postgres' user, so:
chown postgres.postgres /var/lib/pgsql/data/server.*
On Sun, Oct 10, 2010 at 2:52 PM, Mike Christensen <mike@kitchenpc.com> wrote:
Hi, I'm trying to require SSL for Postgres connections from certain
IPs.. This is on Postgres 9.0.
First, I've followed the directions at:
http://www.postgresql.org/docs/9.0/static/ssl-tcp.html
I've created the files server.crt and server.key. I've also removed
the passphrase from the key so Postgres can start automatically.
Finally, I ran:
chmod 0600 server.key
The permissions on server.key are now:
-rw------- 1 root root 887 Oct 10 03:42 server.key
However, when I set ssl = on in postgresql.conf and start the server,
I get the logged error:
2010-10-10 03:47:07 UTC FATAL: could not load private key file
"server.key": Permission denied
I'm logged on as root. Any ideas? Thanks!
Mike
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
--
-------------------------------------------------------------------------------------------------------------------------------------------------------
"Because it that the times revive as time is fresh somehow, and it to feel wins why, and, as for it, all forget an old thing" - Japanese saying
Sweet! That fixed it.. Rock on.. Of course now let's see if I can connect from my Mac client :) On Sat, Oct 9, 2010 at 9:00 PM, Ben Carbery <ben.carbery@gmail.com> wrote: > The private keys needs to be readable by the same user the server runs > under. This is distribution-dependent and may not be 'root'. > In my case I run Red Hat which uses the 'postgres' user, so: > > chown postgres.postgres /var/lib/pgsql/data/server.* > > > On Sun, Oct 10, 2010 at 2:52 PM, Mike Christensen <mike@kitchenpc.com> > wrote: >> >> Hi, I'm trying to require SSL for Postgres connections from certain >> IPs.. This is on Postgres 9.0. >> >> First, I've followed the directions at: >> >> http://www.postgresql.org/docs/9.0/static/ssl-tcp.html >> >> I've created the files server.crt and server.key. I've also removed >> the passphrase from the key so Postgres can start automatically. >> Finally, I ran: >> >> chmod 0600 server.key >> >> The permissions on server.key are now: >> >> -rw------- 1 root root 887 Oct 10 03:42 server.key >> >> However, when I set ssl = on in postgresql.conf and start the server, >> I get the logged error: >> >> 2010-10-10 03:47:07 UTC FATAL: could not load private key file >> "server.key": Permission denied >> >> I'm logged on as root. Any ideas? Thanks! >> >> Mike >> >> -- >> Sent via pgsql-general mailing list (pgsql-general@postgresql.org) >> To make changes to your subscription: >> http://www.postgresql.org/mailpref/pgsql-general > > > > -- > ------------------------------------------------------------------------------------------------------------------------------------------------------- > "Because it that the times revive as time is fresh somehow, and it to feel > wins why, and, as for it, all forget an old thing" - Japanese saying >
The owner of these new files needs to be the same as that of your Pg data dir in general or postgresql.conf specifically, and that owner be the same as the process that runs the Pg server. Are you running Pg as root? (In any event, you should have another user; running programs or servers as root when they don't need root powers is generally a bad idea.) -- Darren Duncan Mike Christensen wrote: > Hi, I'm trying to require SSL for Postgres connections from certain > IPs.. This is on Postgres 9.0. > > First, I've followed the directions at: > > http://www.postgresql.org/docs/9.0/static/ssl-tcp.html > > I've created the files server.crt and server.key. I've also removed > the passphrase from the key so Postgres can start automatically. > Finally, I ran: > > chmod 0600 server.key > > The permissions on server.key are now: > > -rw------- 1 root root 887 Oct 10 03:42 server.key > > However, when I set ssl = on in postgresql.conf and start the server, > I get the logged error: > > 2010-10-10 03:47:07 UTC FATAL: could not load private key file > "server.key": Permission denied > > I'm logged on as root. Any ideas? Thanks! > > Mike
Yup, my bad.. I should have noticed all the other files were owned by postgres (and I assume that's what the process is running under).. I'm still a Unix newbie, but learning quickly.. Everything's working, and to my surprise pgAdmin connected using SSL on the first try.. No need to mess with anything on the client side of things.. So now I have my database, which only accepts TCP/IP "host" connections from the IP addresses of my web servers, and then requires "hostssl" from my home cable modem IP. Everything else is blocked. Should be decently secure :) Mike On Sat, Oct 9, 2010 at 9:04 PM, Darren Duncan <darren@darrenduncan.net> wrote: > The owner of these new files needs to be the same as that of your Pg data > dir in general or postgresql.conf specifically, and that owner be the same > as the process that runs the Pg server. Are you running Pg as root? (In > any event, you should have another user; running programs or servers as root > when they don't need root powers is generally a bad idea.) -- Darren Duncan > > Mike Christensen wrote: >> >> Hi, I'm trying to require SSL for Postgres connections from certain >> IPs.. This is on Postgres 9.0. >> >> First, I've followed the directions at: >> >> http://www.postgresql.org/docs/9.0/static/ssl-tcp.html >> >> I've created the files server.crt and server.key. I've also removed >> the passphrase from the key so Postgres can start automatically. >> Finally, I ran: >> >> chmod 0600 server.key >> >> The permissions on server.key are now: >> >> -rw------- 1 root root 887 Oct 10 03:42 server.key >> >> However, when I set ssl = on in postgresql.conf and start the server, >> I get the logged error: >> >> 2010-10-10 03:47:07 UTC FATAL: could not load private key file >> "server.key": Permission denied >> >> I'm logged on as root. Any ideas? Thanks! >> >> Mike > >
On Sat, Oct 9, 2010 at 10:04 PM, Darren Duncan <darren@darrenduncan.net> wrote: > The owner of these new files needs to be the same as that of your Pg data > dir in general or postgresql.conf specifically, and that owner be the same > as the process that runs the Pg server. Are you running Pg as root? (In > any event, you should have another user; running programs or servers as root > when they don't need root powers is generally a bad idea.) -- Darren Duncan Actually, unless you've hacked the pg code, it won't start as root.
While I do appreciate the vote of confidence, rest assured you will never see a post from me that starts with "So I've been hacking the pg code and..." On Sat, Oct 9, 2010 at 11:54 PM, Scott Marlowe <scott.marlowe@gmail.com> wrote: > On Sat, Oct 9, 2010 at 10:04 PM, Darren Duncan <darren@darrenduncan.net> wrote: >> The owner of these new files needs to be the same as that of your Pg data >> dir in general or postgresql.conf specifically, and that owner be the same >> as the process that runs the Pg server. Are you running Pg as root? (In >> any event, you should have another user; running programs or servers as root >> when they don't need root powers is generally a bad idea.) -- Darren Duncan > > Actually, unless you've hacked the pg code, it won't start as root. >
Does postgres run as root or as the postgres user. I suspect you want postgres to own that file. Mike Christensen wrote: > Hi, I'm trying to require SSL for Postgres connections from certain > IPs.. This is on Postgres 9.0. > > First, I've followed the directions at: > > http://www.postgresql.org/docs/9.0/static/ssl-tcp.html > > I've created the files server.crt and server.key. I've also removed > the passphrase from the key so Postgres can start automatically. > Finally, I ran: > > chmod 0600 server.key > > The permissions on server.key are now: > > -rw------- 1 root root 887 Oct 10 03:42 server.key > > However, when I set ssl = on in postgresql.conf and start the server, > I get the logged error: > > 2010-10-10 03:47:07 UTC FATAL: could not load private key file > "server.key": Permission denied > > I'm logged on as root. Any ideas? Thanks! > > Mike > >
Postgres cannot run as root. On Sun, Oct 10, 2010 at 9:40 AM, Rob Sargent <robjsargent@gmail.com> wrote: > Does postgres run as root or as the postgres user. I suspect you want > postgres to own that file. > > Mike Christensen wrote: >> >> Hi, I'm trying to require SSL for Postgres connections from certain >> IPs.. This is on Postgres 9.0. >> >> First, I've followed the directions at: >> >> http://www.postgresql.org/docs/9.0/static/ssl-tcp.html >> >> I've created the files server.crt and server.key. I've also removed >> the passphrase from the key so Postgres can start automatically. >> Finally, I ran: >> >> chmod 0600 server.key >> >> The permissions on server.key are now: >> >> -rw------- 1 root root 887 Oct 10 03:42 server.key >> >> However, when I set ssl = on in postgresql.conf and start the server, >> I get the logged error: >> >> 2010-10-10 03:47:07 UTC FATAL: could not load private key file >> "server.key": Permission denied >> >> I'm logged on as root. Any ideas? Thanks! >> >> Mike >> >> > > -- > Sent via pgsql-general mailing list (pgsql-general@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-general > -- To understand recursion, one must first understand recursion.
On Sun, Oct 10, 2010 at 12:08:13AM -0700, Mike Christensen wrote: > While I do appreciate the vote of confidence, rest assured you will > never see a post from me that starts with "So I've been hacking the pg > code and..." Actually, we get *plenty* of those. Cheers, David. -- David Fetter <david@fetter.org> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: david.fetter@gmail.com iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate