[pgpool-general: 7854] Re: Support for Certificate Authentication PgPool and Postgres
ishii at sraoss.co.jp
Fri Nov 5 20:22:43 JST 2021
> Hi Tatsuo/team,
> Thank you for your email and information.
> In that case can you please confirm the considerations for having Certificate
> Authentication only between client and pgpool-II?
> Does pgpool-II terminate
> the SSL based on the CN string (on the x509 Certificate) and then use a
> separate connection to authenticate with the backends?
> If yes, what about
> the password requirements for backend connection from Pgpool-II?
You can choose any of auth method supported by Pgpool-II. Namely:
trust (no password), md5, and scram-256. GSSAPI is not supported
(yet). User password must be stored in pool_passwd.
> On Fri, 5 Nov 2021 at 01:33, Tatsuo Ishii <ishii at sraoss.co.jp> wrote:
>> > Hi,
>> > I am looking to deploy pgpool and postgres cluster with SSL onto a
>> > Kubernetes Cluster.
>> > *Reference for SSL Setup: *
>> > I was able to set up the Certificates for both pgpool and postgres.
>> > But after setup, I am not able to connect through pgpool. However, I am
>> > able to connect to postgres directly using the hostnames attached to the
>> > postgres database or a headless service or just localhost for the
>> > user.
>> > Following is the error from pgpool logs,
>> > *2021-11-04 21:57:26: pid 131: LOG: SSL certificate authentication
>> > for user "postgres" with Pgpool-II is successful
>> > 2021-11-04 21:57:26: pid 131: ERROR: backend authentication failed
>> > 2021-11-04 21:57:26: pid 131: DETAIL: backend response with kind 'E'
>> > when expecting 'R'
>> > 2021-11-04 21:57:26: pid 131: HINT: This issue can be caused by
>> > version mismatch (current version 3)
>> > 2021-11-04 21:57:26: pid 130: LOG: SSL certificate authentication for
>> > user "postgres" with Pgpool-II is successful
>> > 2021-11-04 21:57:26: pid 130: ERROR: backend authentication failed
>> > 2021-11-04 21:57:26: pid 130: DETAIL: backend response with kind 'E'
>> > when expecting 'R'
>> > 2021-11-04 21:57:26: pid 130: HINT: This issue can be caused by
>> > version mismatch (current version 2)*
>> > Test: psql "sslmode=require port=5432 host=localhost dbname=postgres
>> > sslcert=./client.crt sslkey=./client.key sslrootcert=./ca.pem"
>> > --username postgres
>> > Original Source Code for Kubernetes Manifests:
>> > https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha
>> > Please see additional PRs talking about enabling both TLS at the same
>> > https://github.com/bitnami/bitnami-docker-pgpool/issues/18
>> > Additionally, in the pgpool documentation I noticed some conflicting
>> > notes <https://www.pgpool.net/docs/42/en/html/auth-methods.html> like,
>> > *Note: The certificate authentication works between only client and
>> > Pgpool-II. The certificate authentication does not work between
>> > Pgpool-II and PostgreSQL. For backend authentication you can use any
>> > other authentication method.*
>> > If you could please help me understand the whether this is a
>> > configuration or design flaw?
>> No. It's a limitation of Pgpool-II. Pgpool-II allows to use the
>> certificate authentication between client and Pgpool-II. Since
>> Pgpool-II is a proxy, it needs to be authenticated by PostgreSQL as
>> well. Unfortunately currently Pgpool-II does not implement certificate
>> authentication against PostgreSQL.
>> Tatsuo Ishii
>> SRA OSS, Inc. Japan
>> English: http://www.sraoss.co.jp/index_en.php
More information about the pgpool-general