Обсуждение: [ODBC] Fwd: Connection string parameter sslrootcert does not work
Hi,
I'm trying to programmatically connect to an RDS Postgres instance with SSL enabled, using the psqlodbc driver (Version: postgresql94-odbc-09.03.0400-
To enable SSL for a Postgres connection, I appended the following parameters to the connection string:
sslmode=verify-ca;sslrootcert=
The root certificate exists as a .pem file.
In addition, I also enabled the debug and comm logs:
debug=1;commlog=1
The resulting logs showed the following error:
…
00028427: 2017-01-17T21:16:57 [SERVER ]I: Going to connect to ODBC connection string: Driver={PostgreSQL Unicode(x64)};Server=<
00028427: 2017-01-17T21:16:57 [SERVER ]E: RetCode: SQL_ERROR SqlState: 08001 NativeError: 101 Message: [unixODBC]root certificate file "/home/<current-user>/.
Either provide the file or change sslmode to disable server certificate verification. [122502] ODBC general error.
00028427: 2017-01-17T21:16:57 [SERVER ]E: Failed to connect [122506] Network error has occurred
…
Does this mean the driver cannot recognize the sslrootcert parameter being passed to it? Why does it still refer to the default location of the root certificate? I even tried putting the root certificate in the default location, but it still failed with the same error above.
I was looking up this issue and found a similar thread that was open 3 years ago: https://www.postgresql.org/
I found another thread which talked about adding support for the sslxxxxxx parameters: https://www.postgresql.org/message-id/CAB7nPqSF%2BVLH5TB0rDPF2UaMhjoBCJSJNCeL9NYh6WqEuPUL7w%40mail.gmail.com
Is there an update on this?
Thanks,
Apurva
On 01/18/2017 11:29 AM, Apurva Paralkar wrote: > Hi,____ > > __ __ > > I'm trying to programmatically connect to an RDS Postgres instance with > SSL enabled, using the psqlodbc driver (Version: > postgresql94-odbc-09.03.0400-1PGDG.rhel6.x86_64.rpm). I’m having trouble > with the sslrootcert parameter.____ > > > ____ > > To enable SSL for a Postgres connection, I appended the following > parameters to the connection string:____ > > sslmode=verify-ca;sslrootcert=<location of root certificate on the > client>____ > > The root certificate exists as a .pem file.____ > > > ____ > > In addition, I also enabled the debug and comm logs:____ > > debug=1;commlog=1____ > > > ____ > > The resulting logs showed the following error:____ > > …____ > > 00028427: 2017-01-17T21:16:57 [SERVER ]I: Going to connect to > ODBC connection string: Driver={PostgreSQL > Unicode(x64)};Server=<hostname>;Port=-<port>;Database=<database-name>;UseDeclareFetch=1;Fetch=10000;Uid=<username>;Pwd=****;sslmode=verify-ca;sslrootcert=<location > of root.pem file on the client>;debug=1;commlog=1____ > > 00028427: 2017-01-17T21:16:57 [SERVER ]E: RetCode: SQL_ERROR > SqlState: 08001 NativeError: 101 Message: [unixODBC]root certificate > file "/home/<current-user>/.postgresql/root.crt" does not exist____ > > Either provide the file or change sslmode to disable server certificate > verification. [122502] ODBC general error.____ > > 00028427: 2017-01-17T21:16:57 [SERVER ]E: Failed to connect > [122506] Network error has occurred____ > > …____ > > > ____ > > Does this mean the driver cannot recognize the sslrootcert parameter > being passed to it? Why does it still refer to the default location of > the root certificate? I even tried putting the root certificate in the > default location, but it still failed with the same error above.____ > > __ __ > > I was looking up this issue and found a similar thread that was open 3 > years ago: > https://www.postgresql.org/message-id/5462D5AA.2040602%40tpf.co.jp > <https://www.postgresql.org/message-id/5462D5AA.2040602%40tpf.co.jp>._ _The > contributor there had mentioned that there was no option to specify path > name. Is that still the case? In the above did you see the suggestion to use the env variable PGSSLROOTCERT? > > I found another thread which talked about adding support for the > sslxxxxxx > parameters: https://www.postgresql.org/message-id/CAB7nPqSF%2BVLH5TB0rDPF2UaMhjoBCJSJNCeL9NYh6WqEuPUL7w%40mail.gmail.com > > __ __ > > Is there an update on this? > > > Thanks,____ > > Apurva____ > > -- Adrian Klaver adrian.klaver@aklaver.com
On 01/18/2017 11:29 AM, Apurva Paralkar wrote:Hi,____
__ __
I'm trying to programmatically connect to an RDS Postgres instance with
SSL enabled, using the psqlodbc driver (Version:
postgresql94-odbc-09.03.0400-1PGDG.rhel6.x86_64.rpm). I’m having trouble
with the sslrootcert parameter.____
____
To enable SSL for a Postgres connection, I appended the following
parameters to the connection string:____
sslmode=verify-ca;sslrootcert=<location of root certificate on the
client>____
The root certificate exists as a .pem file.____
____
In addition, I also enabled the debug and comm logs:____
debug=1;commlog=1____
____
The resulting logs showed the following error:____
…____
00028427: 2017-01-17T21:16:57 [SERVER ]I: Going to connect to
ODBC connection string: Driver={PostgreSQL
Unicode(x64)};Server=<hostname>;Port=-<port>;Database=< database-name>;UseDeclareFetch =1;Fetch=10000;Uid=<username>; Pwd=****;sslmode=verify-ca; sslrootcert=<location
of root.pem file on the client>;debug=1;commlog=1____
00028427: 2017-01-17T21:16:57 [SERVER ]E: RetCode: SQL_ERROR
SqlState: 08001 NativeError: 101 Message: [unixODBC]root certificate
file "/home/<current-user>/.postgresql/root.crt" does not exist____
Either provide the file or change sslmode to disable server certificate
verification. [122502] ODBC general error.____
00028427: 2017-01-17T21:16:57 [SERVER ]E: Failed to connect
[122506] Network error has occurred____
…____
____
Does this mean the driver cannot recognize the sslrootcert parameter
being passed to it? Why does it still refer to the default location of
the root certificate? I even tried putting the root certificate in the
default location, but it still failed with the same error above.____
__ __
I was looking up this issue and found a similar thread that was open 3
years ago:
https://www.postgresql.org/message-id/5462D5AA.2040602%40tpf .co.jp
<https://www.postgresql.org/message-id/5462D5AA.2040602%40tp f.co.jp>._ _The
contributor there had mentioned that there was no option to specify path
name. Is that still the case?
In the above did you see the suggestion to use the env variable PGSSLROOTCERT?
I found another thread which talked about adding support for the
sslxxxxxx
parameters: https://www.postgresql.org/message-id/CAB7nPqSF%2BVLH5TB0rDP F2UaMhjoBCJSJNCeL9NYh6WqEuPUL7 w%40mail.gmail.com
__ __
Is there an update on this?
Thanks,____
Apurva____
--
Adrian Klaver
adrian.klaver@aklaver.com
Yes, I did. But I need to be able to simultaneously connect to multiple Postgres instances from the same client, each with its own CA certificate. Hence the need for a way to specify a file path. Having a single environment variable does not work for me.On Wed, Jan 18, 2017 at 12:01 PM, Adrian Klaver <adrian.klaver@aklaver.com> wrote:On 01/18/2017 11:29 AM, Apurva Paralkar wrote:Hi,____
__ __
I'm trying to programmatically connect to an RDS Postgres instance with
SSL enabled, using the psqlodbc driver (Version:
postgresql94-odbc-09.03.0400-1PGDG.rhel6.x86_64.rpm). I’m having trouble
with the sslrootcert parameter.____
____
To enable SSL for a Postgres connection, I appended the following
parameters to the connection string:____
sslmode=verify-ca;sslrootcert=<location of root certificate on the
client>____
The root certificate exists as a .pem file.____
____
In addition, I also enabled the debug and comm logs:____
debug=1;commlog=1____
____
The resulting logs showed the following error:____
…____
00028427: 2017-01-17T21:16:57 [SERVER ]I: Going to connect to
ODBC connection string: Driver={PostgreSQL
Unicode(x64)};Server=<hostname>;Port=-<port>;Database=<datab ase-name>;UseDeclareFetch=1; Fetch=10000;Uid=<username>;Pwd =****;sslmode=verify-ca;sslroo tcert=<location
of root.pem file on the client>;debug=1;commlog=1____
00028427: 2017-01-17T21:16:57 [SERVER ]E: RetCode: SQL_ERROR
SqlState: 08001 NativeError: 101 Message: [unixODBC]root certificate
file "/home/<current-user>/.postgresql/root.crt" does not exist____
Either provide the file or change sslmode to disable server certificate
verification. [122502] ODBC general error.____
00028427: 2017-01-17T21:16:57 [SERVER ]E: Failed to connect
[122506] Network error has occurred____
…____
____
Does this mean the driver cannot recognize the sslrootcert parameter
being passed to it? Why does it still refer to the default location of
the root certificate? I even tried putting the root certificate in the
default location, but it still failed with the same error above.____
__ __
I was looking up this issue and found a similar thread that was open 3
years ago:
https://www.postgresql.org/message-id/5462D5AA.2040602%40tpf .co.jp
<https://www.postgresql.org/message-id/5462D5AA.2040602%40tp f.co.jp>._ _The
contributor there had mentioned that there was no option to specify path
name. Is that still the case?
In the above did you see the suggestion to use the env variable PGSSLROOTCERT?
I found another thread which talked about adding support for the
sslxxxxxx
parameters: https://www.postgresql.org/message-id/CAB7nPqSF%2BVLH5TB0rDP F2UaMhjoBCJSJNCeL9NYh6WqEuPUL7 w%40mail.gmail.com
__ __
Is there an update on this?
Thanks,____
Apurva____
--
Adrian Klaver
adrian.klaver@aklaver.com
'If you can't patch the driver to add a variable for this parameter, a workaround I've used before is to set up a launcher script that sets pgsslrootcert as a process scope environment variable. I used a VBScript and changed the app shortcut to call the script (on Windows). This should allow multiple connections.'
Yes, I did. But I need to be able to simultaneously connect to multiple Postgres instances from the same client, each with its own CA certificate. Hence the need for a way to specify a file path. Having a single environment variable does not work for me.On Wed, Jan 18, 2017 at 12:01 PM, Adrian Klaver <adrian.klaver@aklaver.com> wrote:On 01/18/2017 11:29 AM, Apurva Paralkar wrote:Hi,____
__ __
I'm trying to programmatically connect to an RDS Postgres instance with
SSL enabled, using the psqlodbc driver (Version:
postgresql94-odbc-09.03.0400-1PGDG.rhel6.x86_64.rpm). I’m having trouble
with the sslrootcert parameter.____
____
To enable SSL for a Postgres connection, I appended the following
parameters to the connection string:____
sslmode=verify-ca;sslrootcert=<location of root certificate on the
client>____
The root certificate exists as a .pem file.____
____
In addition, I also enabled the debug and comm logs:____
debug=1;commlog=1____
____
The resulting logs showed the following error:____
…____
00028427: 2017-01-17T21:16:57 [SERVER ]I: Going to connect to
ODBC connection string: Driver={PostgreSQL
Unicode(x64)};Server=<hostname>;Port=-<port>;Database=<datab ase-name>;UseDeclareFetch=1;Fe tch=10000;Uid=<username>;Pwd=* ***;sslmode=verify-ca;sslrootc ert=<location
of root.pem file on the client>;debug=1;commlog=1____
00028427: 2017-01-17T21:16:57 [SERVER ]E: RetCode: SQL_ERROR
SqlState: 08001 NativeError: 101 Message: [unixODBC]root certificate
file "/home/<current-user>/.postgresql/root.crt" does not exist____
Either provide the file or change sslmode to disable server certificate
verification. [122502] ODBC general error.____
00028427: 2017-01-17T21:16:57 [SERVER ]E: Failed to connect
[122506] Network error has occurred____
…____
____
Does this mean the driver cannot recognize the sslrootcert parameter
being passed to it? Why does it still refer to the default location of
the root certificate? I even tried putting the root certificate in the
default location, but it still failed with the same error above.____
__ __
I was looking up this issue and found a similar thread that was open 3
years ago:
https://www.postgresql.org/message-id/5462D5AA.2040602%40tpf .co.jp
<https://www.postgresql.org/message-id/5462D5AA.2040602%40tp f.co.jp>._ _The
contributor there had mentioned that there was no option to specify path
name. Is that still the case?
In the above did you see the suggestion to use the env variable PGSSLROOTCERT?
I found another thread which talked about adding support for the
sslxxxxxx
parameters: https://www.postgresql.org/message-id/CAB7nPqSF%2BVLH5TB0rDP F2UaMhjoBCJSJNCeL9NYh6WqEuPUL7 w%40mail.gmail.com
__ __
Is there an update on this?
Thanks,____
Apurva____
--
Adrian Klaver
adrian.klaver@aklaver.com
'If you can't patch the driver to add a variable for this parameter, a workaround I've used before is to set up a launcher script that sets pgsslrootcert as a process scope environment variable. I used a VBScript and changed the app shortcut to call the script (on Windows). This should allow multiple connections.'How easy or difficult is it to patch the driver to add a variable for this parameter? Does something in the driver inherently prevent us from adding these parameters?I had simplified my setup for the sake of the post. In reality, the client application has a single process which initiates the connections. Once the connections are tested successfully, it spins multiple processes for whatever work it is supposed to be doing. Since it's a single process, it does not make sense to use process scope variables. Also, the idea of multiple processes to simply test connections seems like an overkill.On Wed, Jan 18, 2017 at 12:05 PM, Apurva Paralkar <apurva12mar@gmail.com> wrote:Yes, I did. But I need to be able to simultaneously connect to multiple Postgres instances from the same client, each with its own CA certificate. Hence the need for a way to specify a file path. Having a single environment variable does not work for me.On Wed, Jan 18, 2017 at 12:01 PM, Adrian Klaver <adrian.klaver@aklaver.com> wrote:On 01/18/2017 11:29 AM, Apurva Paralkar wrote:Hi,____
__ __
I'm trying to programmatically connect to an RDS Postgres instance with
SSL enabled, using the psqlodbc driver (Version:
postgresql94-odbc-09.03.0400-1PGDG.rhel6.x86_64.rpm). I’m having trouble
with the sslrootcert parameter.____
____
To enable SSL for a Postgres connection, I appended the following
parameters to the connection string:____
sslmode=verify-ca;sslrootcert=<location of root certificate on the
client>____
The root certificate exists as a .pem file.____
____
In addition, I also enabled the debug and comm logs:____
debug=1;commlog=1____
____
The resulting logs showed the following error:____
…____
00028427: 2017-01-17T21:16:57 [SERVER ]I: Going to connect to
ODBC connection string: Driver={PostgreSQL
Unicode(x64)};Server=<hostname>;Port=-<port>;Database=<datab ase-name>;UseDeclareFetch=1;Fe tch=10000;Uid=<username>;Pwd=* ***;sslmode=verify-ca;sslrootc ert=<location
of root.pem file on the client>;debug=1;commlog=1____
00028427: 2017-01-17T21:16:57 [SERVER ]E: RetCode: SQL_ERROR
SqlState: 08001 NativeError: 101 Message: [unixODBC]root certificate
file "/home/<current-user>/.postgresql/root.crt" does not exist____
Either provide the file or change sslmode to disable server certificate
verification. [122502] ODBC general error.____
00028427: 2017-01-17T21:16:57 [SERVER ]E: Failed to connect
[122506] Network error has occurred____
…____
____
Does this mean the driver cannot recognize the sslrootcert parameter
being passed to it? Why does it still refer to the default location of
the root certificate? I even tried putting the root certificate in the
default location, but it still failed with the same error above.____
__ __
I was looking up this issue and found a similar thread that was open 3
years ago:
https://www.postgresql.org/message-id/5462D5AA.2040602%40tpf .co.jp
<https://www.postgresql.org/message-id/5462D5AA.2040602%40tp f.co.jp>._ _The
contributor there had mentioned that there was no option to specify path
name. Is that still the case?
In the above did you see the suggestion to use the env variable PGSSLROOTCERT?
I found another thread which talked about adding support for the
sslxxxxxx
parameters: https://www.postgresql.org/message-id/CAB7nPqSF%2BVLH5TB0rDP F2UaMhjoBCJSJNCeL9NYh6WqEuPUL7 w%40mail.gmail.com
__ __
Is there an update on this?
Thanks,____
Apurva____
--
Adrian Klaver
adrian.klaver@aklaver.com
Sorry for the late reply.
Hi,
I'm trying to programmatically connect to an RDS Postgres instance with SSL enabled, using the psqlodbc driver (Version: postgresql94-odbc-09.03.0400-
1PGDG.rhel6.x86_64.rpm). I’m having trouble with the sslrootcert parameter.
To enable SSL for a Postgres connection, I appended the following parameters to the connection string:
sslmode=verify-ca;sslrootcert=
<location of root certificate on the client> The root certificate exists as a .pem file.
In addition, I also enabled the debug and comm logs:
debug=1;commlog=1
The resulting logs showed the following error:
…
00028427: 2017-01-17T21:16:57 [SERVER ]I: Going to connect to ODBC connection string: Driver={PostgreSQL Unicode(x64)};Server=<
hostname>;Port=-<port>; Database=<database-name>; UseDeclareFetch=1;Fetch=10000; Uid=<username>;Pwd=****; sslmode=verify-ca;sslrootcert= <location of root.pem file on the client>;debug=1;commlog=1 00028427: 2017-01-17T21:16:57 [SERVER ]E: RetCode: SQL_ERROR SqlState: 08001 NativeError: 101 Message: [unixODBC]root certificate file "/home/<current-user>/.
postgresql/root.crt" does not exist Either provide the file or change sslmode to disable server certificate verification. [122502] ODBC general error.
00028427: 2017-01-17T21:16:57 [SERVER ]E: Failed to connect [122506] Network error has occurred
…
Does this mean the driver cannot recognize the sslrootcert parameter being passed to it?
Yes.
Now I'm planning to introduce a new option which specifies libpq connection parameters as a conninfo style string
like
pqopt={sslrootcert=... sslcert=...}
.
regards,
Hiroshi Inoue
Hi Apurva,
Sorry for the late reply.On 2017/01/19 4:29, Apurva Paralkar wrote:Hi,
I'm trying to programmatically connect to an RDS Postgres instance with SSL enabled, using the psqlodbc driver (Version: postgresql94-odbc-09.03.0400-1
PGDG.rhel6.x86_64.rpm). I’m having trouble with the sslrootcert parameter.
To enable SSL for a Postgres connection, I appended the following parameters to the connection string:
sslmode=verify-ca;sslrootcert=
<location of root certificate on the client> The root certificate exists as a .pem file.
In addition, I also enabled the debug and comm logs:
debug=1;commlog=1
The resulting logs showed the following error:
…
00028427: 2017-01-17T21:16:57 [SERVER ]I: Going to connect to ODBC connection string: Driver={PostgreSQL Unicode(x64)};Server=<hostname
>;Port=-<port>;Database=< database-name>;UseDeclareFetch =1;Fetch=10000;Uid=<username>; Pwd=****;sslmode=verify-ca; sslrootcert=<location of root.pem file on the client>;debug=1;commlog=1 00028427: 2017-01-17T21:16:57 [SERVER ]E: RetCode: SQL_ERROR SqlState: 08001 NativeError: 101 Message: [unixODBC]root certificate file "/home/<current-user>/.postgre
sql/root.crt" does not exist Either provide the file or change sslmode to disable server certificate verification. [122502] ODBC general error.
00028427: 2017-01-17T21:16:57 [SERVER ]E: Failed to connect [122506] Network error has occurred
…
Does this mean the driver cannot recognize the sslrootcert parameter being passed to it?
Yes.
Now I'm planning to introduce a new option which specifies libpq connection parameters as a conninfo style string
like
pqopt={sslrootcert=... sslcert=...}
.
regards,
Hiroshi Inoue
Hi Hiroshi,Thanks for your response. Can you let me know tentatively when this parameter will be added? I have some deadlines based on this change. I'd like to know if I can wait for your changes or if I should work on a patch myself.
I already changed my local source though I've not tested it sufficiently.
It's in https://github.com/hiinoue/psqlODBC.git in the topic branch pqopt.
However I'm afraid the diff is not applicable to 9.3.0400.
regards, Hiroshi Inoue
Hi Apurva,On 2017/01/24 2:15, Apurva Paralkar wrote:Hi Hiroshi,Thanks for your response. Can you let me know tentatively when this parameter will be added? I have some deadlines based on this change. I'd like to know if I can wait for your changes or if I should work on a patch myself.
I already changed my local source though I've not tested it sufficiently.
It's in https://github.com/hiinoue/psqlODBC.git in the topic branch pqopt.
However I'm afraid the diff is not applicable to 9.3.0400.regards, Hiroshi Inoue
Hi Apurva, On 2017/01/25 7:47, Apurva Paralkar wrote: > Thanks for making the change, Hiroshi. > We can move to using a different version of the driver. Do you know > when this would be available for use? I would push the change to official git if it is confirmed to be OK. > > Also, if the following string was the current connection string: > Driver={PostgreSQL > Unicode(x64)};Server=<hostname>;Port=<port>;Database=<database-name>;UseDeclareFetch=1;Fetch=10000;Uid=username>;Pwd=****;sslmode=verify-ca;sslrootcert=<location > of root.pem file on the client> > what should the new connection string look like with your > changes?Driver={PostgreSQL > Unicode(x64)};Server=<hostname>;Port=<port>;Database=<database-name>;UseDeclareFetch=1;Fetch=10000;Uid=username>;Pwd=****;sslmode=verify-ca;sslrootcert=<location > of root.pem file on the client> Driver={PostgreSQL Unicode(x64)};Server=<hostname>;Port=<port>;Database=<database-name>;UseDeclareFetch=1;Fetch=10000;Uid=username>;Pwd=****;sslmode=verify-ca;pqopt={sslrootcert=<location of root.pem file on the client>} Note that the value of pqopt must be enclosed with braces. Any libpq connection parameters can be specified in a pqopt option. regards, Hiroshi Inoue
Hi Apurva,
On 2017/01/25 7:47, Apurva Paralkar wrote:Thanks for making the change, Hiroshi.
We can move to using a different version of the driver. Do you know when this would be available for use?
I would push the change to official git if it is confirmed to be OK.
Oops I made a mistake.
You can find the change in https://github.com/hiinoue/psqlODBC.git in the branch pqopt.
Also, if the following string was the current connection string:
Driver={PostgreSQL Unicode(x64)};Server=<hostname>;Port=<port>;Database=<database-name>;UseDeclareFetch=1;Fetch=10000;Uid=username>;Pwd=****;sslmode=verify-ca;sslrootcert=<location of root.pem file on the client>
what should the new connection string look like with your changes?Driver={PostgreSQL Unicode(x64)};Server=<hostname>;Port=<port>;Database=<database-name>;UseDeclareFetch=1;Fetch=10000;Uid=username>;Pwd=****;sslmode=verify-ca;sslrootcert=<location of root.pem file on the client>
Driver={PostgreSQL Unicode(x64)};Server=<hostname>;Port=<port>;Database=<database-name>;UseDeclareFetch=1;Fetch=10000;Uid=username>;Pwd=****;sslmode=verify-ca;pqopt={sslrootcert=<location of root.pem file on the client>}
Note that the value of pqopt must be enclosed with braces.
Any libpq connection parameters can be specified in a pqopt option.
regards,
Hiroshi Inoue