<div dir="ltr"><div dir="auto">Hi Tatsuo<span class="gmail_default" style="font-family:"trebuchet ms",sans-serif">/team</span>,</div><div dir="auto"><br></div><div dir="auto">Thank you for your email and <span class="gmail_default" style="font-family:"trebuchet ms",sans-serif">information</span>.</div><div dir="auto"><br></div><div dir="auto"><span class="gmail_default" style="font-family:"trebuchet ms",sans-serif"></span><span class="gmail_default" style="font-family:"trebuchet ms",sans-serif">In that </span>case can you please confirm<font face="trebuchet ms, sans-serif"> </font>the considerations for having <span class="gmail_default" style="font-family:"trebuchet ms",sans-serif">Certificate Authentication</span> only <span class="gmail_default" style="font-family:"trebuchet ms",sans-serif">between client and</span> pgpool-II?<span class="gmail_default" style="font-family:"trebuchet ms",sans-serif"> Does pgpool-II terminate the SSL based on the CN string (on the x509 Certificate) and then use a separate connection to authenticate with the backends? If yes, what about the password requirements for backend connection from Pgpool-II?</span></div><div dir="auto"><span class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><br></span></div><div><span class="gmail_default" style="font-family:"trebuchet ms",sans-serif">Thanks,</span></div><div><span class="gmail_default" style="font-family:"trebuchet ms",sans-serif">Jerry</span></div></div><div dir="auto"><br></div><div dir="auto"><br></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 5 Nov 2021 at 01:33, Tatsuo Ishii <<a href="mailto:ishii@sraoss.co.jp" target="_blank">ishii@sraoss.co.jp</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">> Hi,<br>
> <br>
> I am looking to deploy pgpool and postgres cluster with SSL onto a<br>
> Kubernetes Cluster.<br>
> <br>
> *Reference for SSL Setup: *<br>
> <a href="https://www.highgo.ca/2020/02/25/setting-up-ssl-certificate-authentication-with-pgpool-ii/" rel="noreferrer" target="_blank">https://www.highgo.ca/2020/02/25/setting-up-ssl-certificate-authentication-with-pgpool-ii/</a><br>
> <br>
> I was able to set up the Certificates for both pgpool and postgres.<br>
> <br>
> But after setup, I am not able to connect through pgpool. However, I am<br>
> able to connect to postgres directly using the hostnames attached to the<br>
> postgres database or a headless service or just localhost for the *postgres*<br>
> user.<br>
> <br>
> Following is the error from pgpool logs,<br>
> <br>
> *2021-11-04 21:57:26: pid 131: LOG: SSL certificate authentication<br>
> for user "postgres" with Pgpool-II is successful<br>
> 2021-11-04 21:57:26: pid 131: ERROR: backend authentication failed<br>
> 2021-11-04 21:57:26: pid 131: DETAIL: backend response with kind 'E'<br>
> when expecting 'R'<br>
> 2021-11-04 21:57:26: pid 131: HINT: This issue can be caused by<br>
> version mismatch (current version 3)<br>
> 2021-11-04 21:57:26: pid 130: LOG: SSL certificate authentication for<br>
> user "postgres" with Pgpool-II is successful<br>
> 2021-11-04 21:57:26: pid 130: ERROR: backend authentication failed<br>
> 2021-11-04 21:57:26: pid 130: DETAIL: backend response with kind 'E'<br>
> when expecting 'R'<br>
> 2021-11-04 21:57:26: pid 130: HINT: This issue can be caused by<br>
> version mismatch (current version 2)*<br>
> <br>
> Test: psql "sslmode=require port=5432 host=localhost dbname=postgres<br>
> sslcert=./client.crt sslkey=./client.key sslrootcert=./ca.pem"<br>
> --username postgres<br>
> <br>
> Original Source Code for Kubernetes Manifests:<br>
> <a href="https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha" rel="noreferrer" target="_blank">https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha</a><br>
> <br>
> Please see additional PRs talking about enabling both TLS at the same time,<br>
> <a href="https://github.com/bitnami/bitnami-docker-pgpool/issues/18" rel="noreferrer" target="_blank">https://github.com/bitnami/bitnami-docker-pgpool/issues/18</a><br>
> <br>
> Additionally, in the pgpool documentation I noticed some conflicting<br>
> notes <<a href="https://www.pgpool.net/docs/42/en/html/auth-methods.html" rel="noreferrer" target="_blank">https://www.pgpool.net/docs/42/en/html/auth-methods.html</a>> like,<br>
> <br>
> *Note: The certificate authentication works between only client and<br>
> Pgpool-II. The certificate authentication does not work between<br>
> Pgpool-II and PostgreSQL. For backend authentication you can use any<br>
> other authentication method.*<br>
> <br>
> If you could please help me understand the whether this is a<br>
> configuration or design flaw?<br>
<br>
No. It's a limitation of Pgpool-II. Pgpool-II allows to use the<br>
certificate authentication between client and Pgpool-II. Since<br>
Pgpool-II is a proxy, it needs to be authenticated by PostgreSQL as<br>
well. Unfortunately currently Pgpool-II does not implement certificate<br>
authentication against PostgreSQL.<br>
--<br>
Tatsuo Ishii<br>
SRA OSS, Inc. Japan<br>
English: <a href="http://www.sraoss.co.jp/index_en.php" rel="noreferrer" target="_blank">http://www.sraoss.co.jp/index_en.php</a><br>
Japanese:<a href="http://www.sraoss.co.jp" rel="noreferrer" target="_blank">http://www.sraoss.co.jp</a><br>
</blockquote></div></div>