Thread: SSL - automatic entry of certificate passphrase in PostgreSQL 10?
Hello. Apologies if this is an easy one, I've been looking around but clearly my google-fu may be weak :) I've recently been asked to enable ssl support on one of our PostgreSQL 10 databases, which I've done. However, the certificate I was given appears to have been generated using a passphrase, and now during server start I'm being prompted (as expected) for that passphrase. I'm concerned that this is going to impact the automatic (re)start of the database after server shutdowns, crashes etc. I understand that there is functionality to support this in PostgreSQL 11 with the ssl_passphrase_command parameter, but I was wondering if there's a way to emulate this in PostgreSQL 10 or any kind of workaround? Or am I stuck with either requesting a new certificate without the passphrase or going to PostgreSQL 11? For information, it's a PostgreSQL 10.5 cluster hosted on a VM running RHEL 7.6. Many thanks! -- Martin Goodson In bed above we're deep asleep, While greater love lies further deep. This dream must end, the world must know, We all depend on the beast below.
Martin Goodson <kaemaril@googlemail.com> writes:
> Or am I stuck with either requesting a new certificate without the
> passphrase or going to PostgreSQL 11?
AFAIK, those are your options. Pre-v11 there was no reasonable way
to work with a server cert that requires a passphrase.
regards, tom lane
On Fri, Dec 6, 2019 at 4:22 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Martin Goodson <kaemaril@googlemail.com> writes:
> Or am I stuck with either requesting a new certificate without the
> passphrase or going to PostgreSQL 11?
AFAIK, those are your options. Pre-v11 there was no reasonable way
to work with a server cert that requires a passphrase.
It should certainly be possible to remove the passphrase permanently from the received certificate again, no need for a new one. Well, technically the passphrase is on the key, and you remove it with something like:
openssl rsa -in current.key -out new.keyThat'll ask for a passphrase for the old key, and write the new one out without.
Re: SSL - automatic entry of certificate passphrase in PostgreSQL 10?
From
"Vasanth Kumar Pediseti"
Date:
PLEASE STOP SENDING - NOT INTERESTED
From: Martin Goodson <kaemaril@googlemail.com>
Sent: Fri, 06 Dec 2019 18:55:43
To: pgsql-admin <pgsql-admin@postgresql.org>
Subject: SSL - automatic entry of certificate passphrase in PostgreSQL 10?
Hello.
Apologies if this is an easy one, I've been looking around but clearly
my google-fu may be weak :)
I've recently been asked to enable ssl support on one of our PostgreSQL
10 databases, which I've done. However, the certificate I was given
appears to have been generated using a passphrase, and now during server
start I'm being prompted (as expected) for that passphrase.
I'm concerned that this is going to impact the automatic (re)start of
the database after server shutdowns, crashes etc. I understand that
there is functionality to support this in PostgreSQL 11 with the
ssl_passphrase_command parameter, but I was wondering if there's a way
to emulate this in PostgreSQL 10 or any kind of workaround?
Or am I stuck with either requesting a new certificate without the
passphrase or going to PostgreSQL 11?
For information, it's a PostgreSQL 10.5 cluster hosted on a VM running
RHEL 7.6.
Many thanks!
--
Martin Goodson
In bed above we're deep asleep,
While greater love lies further deep.
This dream must end, the world must know,
We all depend on the beast below.
From: Martin Goodson <kaemaril@googlemail.com>
Sent: Fri, 06 Dec 2019 18:55:43
To: pgsql-admin <pgsql-admin@postgresql.org>
Subject: SSL - automatic entry of certificate passphrase in PostgreSQL 10?
Hello.
Apologies if this is an easy one, I've been looking around but clearly
my google-fu may be weak :)
I've recently been asked to enable ssl support on one of our PostgreSQL
10 databases, which I've done. However, the certificate I was given
appears to have been generated using a passphrase, and now during server
start I'm being prompted (as expected) for that passphrase.
I'm concerned that this is going to impact the automatic (re)start of
the database after server shutdowns, crashes etc. I understand that
there is functionality to support this in PostgreSQL 11 with the
ssl_passphrase_command parameter, but I was wondering if there's a way
to emulate this in PostgreSQL 10 or any kind of workaround?
Or am I stuck with either requesting a new certificate without the
passphrase or going to PostgreSQL 11?
For information, it's a PostgreSQL 10.5 cluster hosted on a VM running
RHEL 7.6.
Many thanks!
--
Martin Goodson
In bed above we're deep asleep,
While greater love lies further deep.
This dream must end, the world must know,
We all depend on the beast below.