Bug 1482697 - Problem enabling SSL connections to CF database node
Summary: Problem enabling SSL connections to CF database node
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance
Version: 5.7.0
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: GA
: 5.10.0
Assignee: Nick Carboni
QA Contact: luke couzens
URL:
Whiteboard:
Depends On:
Blocks: 1527625
TreeView+ depends on / blocked
 
Reported: 2017-08-17 22:24 UTC by Saif Ali
Modified: 2020-12-14 09:35 UTC (History)
5 users (show)

Fixed In Version: 5.10.0.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1527625 (view as bug list)
Environment:
Last Closed: 2018-06-21 21:03:46 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:
Embargoed:
lcouzens: needinfo-


Attachments (Terms of Use)

Description Saif Ali 2017-08-17 22:24:13 UTC
Description of problem:
We are following section 4.2 of the CF 4.2 Appliance Hardening Guide to enable SSL connections to our database appliance.  We completed the steps for the database appliance and have copied the root.crt to another connecting appliance; however, when we test the connection we get the following output:

[root@ahost ~]# psql -h aplcfdbp01.mmacct.root.mds -d vmdb_production
psql: SSL error: certificate verify failed
FATAL:  no pg_hba.conf entry for host "10.130.43.50", user "root", database "vmdb_production", SSL off

The pg_hba.conf file on the database appliance contains the following, and postgresql.conf has been updated per documentation:
# TYPE  DATABASE USER  ADDRESS       METHOD
local   all      all                 peer map=usermap
#host    all      all   all           md5
hostssl  all      all   all           md5
host  replication  all  all  md5


Version-Release number of selected component (if applicable):
5.7.2

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 7 luke couzens 2017-08-29 15:26:50 UTC
I can't seem to reproduce this in 5.7.3, only seeing this on 5.7.2.

I did however notice something else that maybe the reason for this working in later builds, it seems that after enabling ssl on an appliance you can still connect to it without first copying the root.crt to /root/.postgresql/ location of the client appliance.

Correct me if I am wrong but I am not sure this should be possible, as far as I understand it we should require the cert to connect to the appliance database? 

Perhaps in later builds it seems as though this original issue is fixed but in reality we are not actually connecting to the database with the cert.

Comment 8 Nick Carboni 2017-12-12 20:00:39 UTC
After looking into our process for enabling ssl on the database it seems like none of the client configuration steps should be necessary.

Additionally, the /var/www/miq/vmdb/certs/root.crt file is not needed.

After seeing this, I created the following PRs to enable ssl using a newly generated cert on database creation:

https://github.com/ManageIQ/manageiq-appliance_console/pull/22
https://github.com/ManageIQ/manageiq-appliance/pull/162

These should remove the need for this portion of the documentation as it exists today.

We may want to add separate sections about using your own certs or configuring clients to only connect to database servers which are running using ssl. I'll open a separate docs BZ to track that after the PRs are merged.

Comment 9 Nick Carboni 2017-12-18 20:24:44 UTC
Moving this to post. A newly created internal database will be automatically configured to use ssl connections.

Comment 11 luke couzens 2018-06-21 07:30:57 UTC
Verified in 5.10


Note You need to log in before you can comment on or make changes to this bug.