On Thu, 2021-04-08 at 09:21 +0100, lejeczek wrote:
> On 08/04/2021 03:59, Laurenz Albe wrote:
> > On Wed, 2021-04-07 at 21:12 +0100, lejeczek wrote:
> > > On 07/04/2021 17:36, Tom Lane wrote:
> > > > lejeczek <peljasz@yahoo.co.uk> writes:
> > > > > A novice here thus please go easy on me as I ask this - I
> > > > > see docs/howtos all over the place be those either talk of
> > > > > encryption or replication. I failed to find one which blend
> > > > > these two concepts together - sure it's possible to pgSQL
> > > > > replication encrypted, right?
> > >
> > > Thanks. Would you know how '|clientcert=1' fits into the
> > > equation?
> > > With it present in pg_hba.conf pgSQL was not happy saying:
> > >
> > > FATAL: connection requires a valid client certificate.
> >
> > Then include "sslcert" in "primary_conninfo".
> >
> > You can use all the libpq connection parameters:
> > https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
>
> This below is what 'pg_basebackup' generated on the master
> itself, master which already was configured for TLS/certs.
>
> primary_conninfo = 'user=replicator password=''9897''
> channel_binding=prefer host=10.1.1.224 port=5432
> sslmode=prefer sslcompression=0
> ssl_min_protocol_version=TLSv1.2 gssencmode=prefer
> krbsrvname=postgres target_session_attrs=any'
>
> And with master's:
>
> hostssl replication replicator 10.1.1.223/32 md5
> clientcert=1
I repeat: add "sslcert" to "primary_conninfo".
Of course you will need a private key that matches the certificate.
> I guess my question - as any novice's - would be: is
> replication really 100% encrypted? How to confirm-test it?
Look at the appropriate line in "pg_stat_ssl".
> Lastly: is there anything more at 'pg_basebackup' stage user
> can do to have 'configs' more ready, more complete for 'full
> encryption' when starting with master already configured
> with TLS?
> I'm on 13.2 version.
No, this always requires manual configuration.
Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com