Thread: pg_basebackup with hostssl ?
I've had a quick glance through the man page for pg_basebackup but can't see any flags to set ssl. Long story short, I've got the following in pg_hba.conf of the master: hostssl replication all 10.0.0.0/8 md5 But the slave is complaining: FATAL: no pg_hba.conf entry for replication connection from host "10.1.2.3", user "myrepl", no encryption I suspect this is almost certainly because I'm using "hostssl" instead of "host". But other than the obvious and undesirable quick-fix, how should I be calling pg_basebackup to make sure it uses encryption?
On 2/2/22 07:48, Laura Smith wrote: > I've had a quick glance through the man page for pg_basebackup but can't see any flags to set ssl. > > Long story short, I've got the following in pg_hba.conf of the master: > hostssl replication all 10.0.0.0/8 md5 > > But the slave is complaining: > FATAL: no pg_hba.conf entry for replication connection from host "10.1.2.3", user "myrepl", no encryption > > I suspect this is almost certainly because I'm using "hostssl" instead of "host". > > But other than the obvious and undesirable quick-fix, how should I be calling pg_basebackup to make sure it uses encryption? I am not following. pg_basebackup is a stand alone client that is not involved in replication other then establishing a starting point from which to later establish a replication relationship. The error is saying that whatever instance you are pointing pg_basebackup at does not have entry in pg_hba.conf for the host/user/encryption combination pg_basebackup is trying to connect as. > > -- Adrian Klaver adrian.klaver@aklaver.com
Sent with ProtonMail Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Wednesday, February 2nd, 2022 at 16:30, Adrian Klaver <adrian.klaver@aklaver.com> wrote: > I am not following. pg_basebackup is a stand alone client that is not > > involved in replication other then establishing a starting point from > > which to later establish a replication relationship. > Indeed. And that is exactly that I am trying to do (i.e. have master, want new slave). > The error is saying that whatever instance you are pointing > > pg_basebackup at does not have entry in pg_hba.conf for the > > host/user/encryption combination pg_basebackup is trying to connect as. > But it *DOES* have an entry, per my original message: "hostssl replication all 10.0.0.0/8 md5" And yes, that hba is loaded and live because other remote clients are happily connected to that server and thus reliant ona valid hba.conf. The host is correct. The user is correct. The point I am making is that pg_basebackup is connecting without encryption and I want to know how to tell it to use encryption.The docs are silent on the subject.
Forgot to add that I also have : "hostssl all all 10.0.0.0/8 md5"
On 2/2/22 08:37, Laura Smith wrote: > > > Sent with ProtonMail Secure Email. > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > On Wednesday, February 2nd, 2022 at 16:30, Adrian Klaver <adrian.klaver@aklaver.com> wrote: > >> I am not following. pg_basebackup is a stand alone client that is not >> >> involved in replication other then establishing a starting point from >> >> which to later establish a replication relationship. >> > > Indeed. And that is exactly that I am trying to do (i.e. have master, want new slave). > >> The error is saying that whatever instance you are pointing >> >> pg_basebackup at does not have entry in pg_hba.conf for the >> >> host/user/encryption combination pg_basebackup is trying to connect as. >> > > But it *DOES* have an entry, per my original message: > "hostssl replication all 10.0.0.0/8 md5" From the OP: " Long story short, I've got the following in pg_hba.conf of the master: hostssl replication all 10.0.0.0/8 md5 But the slave is complaining: FATAL: no pg_hba.conf entry for replication connection from host "10.1.2.3", user "myrepl", no encryption " The error is coming from a connection to the slave which does not have data yet, correct? Or a matching pg_hba.conf entry, it would seem. > > And yes, that hba is loaded and live because other remote clients are happily connected to that server and thus relianton a valid hba.conf. > > The host is correct. The user is correct. > > The point I am making is that pg_basebackup is connecting without encryption and I want to know how to tell it to use encryption.The docs are silent on the subject. Not completely: https://www.postgresql.org/docs/current/app-pgbasebackup.html -d connstr --dbname=connstr Specifies parameters used to connect to the server, as a <connection string>; these will override any conflicting command line options. The option is called --dbname for consistency with other client applications, but because pg_basebackup doesn't connect to any particular database in the cluster, any database name in the connection string will be ignored. Following the <connection string> link: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING You can use that to set sslmode. -- Adrian Klaver adrian.klaver@aklaver.com
On Wed, Feb 2, 2022 at 9:37 AM Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch> wrote:
The point I am making is that pg_basebackup is connecting without encryption and I want to know how to tell it to use encryption. The docs are silent on the subject.
It is a client application that talks libpq. All of them understand a common set of environment variables:
Many of those can also be supplied as part of the connection string. These include SSL mode control.
The question I would ask is whether psql connects by default using ssl in the same basic configuration. If so, then the inconsistency amounts to pg_basebackup having an insecure default connection method while psql has a secure one.
David J.
Sent with ProtonMail Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Wednesday, February 2nd, 2022 at 16:50, Adrian Klaver <adrian.klaver@aklaver.com> wrote: > Not completely: > > https://www.postgresql.org/docs/current/app-pgbasebackup.html > > -d connstr > > --dbname=connstr > > Specifies parameters used to connect to the server, as a > > <connection string>; these will override any conflicting command line > > options. > > The option is called --dbname for consistency with other client > > applications, but because pg_basebackup doesn't connect to any > > particular database in the cluster, any database name in the connection > > string will be ignored. > Seems like I was looking for the wrong words on the right page ! Thanks, will try that.
On 2/2/22 09:18, Laura Smith wrote: > > > Seems like I was looking for the wrong words on the right page ! > > Thanks, will try that. Before you do that I would establish that you are connecting to the correct Postgres instance. -- Adrian Klaver adrian.klaver@aklaver.com
Sent with ProtonMail Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Wednesday, February 2nd, 2022 at 17:20, Adrian Klaver <adrian.klaver@aklaver.com> wrote: > > Before you do that I would establish that you are connecting to the > > correct Postgres instance. > > Good news, all up and running ! The new "postgresql.auto.conf" automagic is pure awesome. ;-)