Thread: Replication using mTLS issue

Replication using mTLS issue

From
Drew Zoellner
Date:
Hi Postgres team, I’m receiving an issue matching pg_hba rules that I can’t seem to sort out. I am trying to use mtls certificate authentication for physical replication connections but keep receiving the following error…

pg_receivewal: error: FATAL:  no pg_hba.conf entry for replication connection from host "100.84.12.223", user "pgrepmgr_nonprod", SSL on


My pg_hba.conf file contains

	hostssl replication pgrepmgr_nonprod 100.0.0.0/8 cert map=pgrepmgr_nonprod_map

I’ve made sure the rule comes first in my pg_hba.conf file or last. I’ve read the pg_hba documentation fully and tried with all values for hostssl field, user field and ip field. Still no luck.
Is cert authentication supported for replication connections?

Re: Replication using mTLS issue

From
Tom Lane
Date:
Drew Zoellner <drewtzoellner@gmail.com> writes:
> Hi Postgres team, I’m receiving an issue matching pg_hba rules that I can’t
> seem to sort out. I am trying to use mtls certificate authentication for
> physical replication connections but keep receiving the following error…

> pg_receivewal: error: FATAL:  no pg_hba.conf entry for replication
> connection from host "100.84.12.223", user "pgrepmgr_nonprod", SSL on

> My pg_hba.conf file contains
>     hostssl replication pgrepmgr_nonprod 100.0.0.0/8 cert map=pgrepmgr_nonprod_map

Hm, the match failure must be on user name.  What certificate are you
using on the client side, and what user name does pgrepmgr_nonprod_map
map it to?  Does it succeed if you weaken the hba entry to

    hostssl replication all 100.0.0.0/8 cert map=pgrepmgr_nonprod_map

> Is cert authentication supported for replication connections?

Should be.  But you might find it easier to debug the auth failure
in a non-replication context, ie add

    hostssl all pgrepmgr_nonprod 100.0.0.0/8 cert map=pgrepmgr_nonprod_map

and then see if you can connect with the same credentials from psql
or your favorite other client.

BTW, don't forget you have to signal the postmaster to reload
configuration after any change in these files.

            regards, tom lane



Re: Replication using mTLS issue

From
Drew Zoellner
Date:
Hi Tom, thanks for the response!

So the same user is able to connect using a non replication connection using the same mtls certificate and pg_ident.conf map. So it seems like the cert & map are working for this user.

hostssl all pgrepmgr_nonprod 100.0.0.0/8 cert map=pgrepmgr_nonprod_map

This above seems to be the rule that matched the non replication connection which was successful. 

I have tried relaxing the pg_hba.conf line to all like you suggested for the username and also for IPs and other combinations, unfortunately nothing was working. 

I have been sure to use SELECT pg_reload_conf(); to update changes made to the pg_hba.conf. I have additionally used SELECT pg_hba_file_rules(); to verify the rules are showing up as expected from the live DB perspective.

Since non replication connections are working, and the only change to HBA conf for the replication connection is just all -> replication , it seems like it should be matching. Any other suggestions?

Thanks, Drew.

On Fri, Jun 21, 2024 at 11:46 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Drew Zoellner <drewtzoellner@gmail.com> writes:
> Hi Postgres team, I’m receiving an issue matching pg_hba rules that I can’t
> seem to sort out. I am trying to use mtls certificate authentication for
> physical replication connections but keep receiving the following error…

> pg_receivewal: error: FATAL:  no pg_hba.conf entry for replication
> connection from host "100.84.12.223", user "pgrepmgr_nonprod", SSL on

> My pg_hba.conf file contains
>       hostssl replication pgrepmgr_nonprod 100.0.0.0/8 cert map=pgrepmgr_nonprod_map

Hm, the match failure must be on user name.  What certificate are you
using on the client side, and what user name does pgrepmgr_nonprod_map
map it to?  Does it succeed if you weaken the hba entry to

        hostssl replication all 100.0.0.0/8 cert map=pgrepmgr_nonprod_map

> Is cert authentication supported for replication connections?

Should be.  But you might find it easier to debug the auth failure
in a non-replication context, ie add

        hostssl all pgrepmgr_nonprod 100.0.0.0/8 cert map=pgrepmgr_nonprod_map

and then see if you can connect with the same credentials from psql
or your favorite other client.

BTW, don't forget you have to signal the postmaster to reload
configuration after any change in these files.

                        regards, tom lane

Re: Replication using mTLS issue

From
Tom Lane
Date:
Drew Zoellner <drewtzoellner@gmail.com> writes:
> So the same user is able to connect using a non replication connection
> using the same mtls certificate and pg_ident.conf map. So it seems like the
> cert & map are working for this user.

Hmph.  I tried to reproduce your problem, and it works for me: I can
create a replication connection that's authenticated by certificate
and relies on a username map to map from the CN in the client
certificate to the database username that's mentioned in the "hostssl
replication" entry.

All I can suggest at this point is to go over your configuration
with a fine-tooth comb, looking for probably-silly mistakes such as
inconsistent spellings.  One thing I can think of to mention in
particular is to be sure that the standby's primary_conninfo
explicitly includes "user=pgrepmgr_nonprod", as that's likely not the
user name it'd default to.

Another idea could be to enable log_connections on the primary,
and see if the incoming connection request looks different than
you were expecting.

            regards, tom lane