Обсуждение: could not accept SSL connection: sslv3 alert bad certificate

On 9/25/19 12:34 PM, Marco Ippolito wrote:
> Following the indications here:
> https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#configuring-the-database
> I'm trying to understand how to correctly set Fabric-CA with a
> PostgreSQL-11 database in Ubuntu 18.04.02 Server Edition.
>

> This is the corresponding part in
> /var/log/postgresql/postgresql-11-fabmnet.log :
>
>      2019-09-25 20:51:52.655 CEST [1096] LOG:  listening on IPv6 address
> "::1",
>      port 5433
>      2019-09-25 20:51:52.673 CEST [1096] LOG:  listening on IPv4 address
>      "127.0.0.1", port 5433
>      2019-09-25 20:51:52.701 CEST [1096] LOG:  listening on Unix socket
>      "/var/run/postgresql/.s.PGSQL.5433"
>      2019-09-25 20:51:52.912 CEST [1171] LOG:  database system was
> interrupted;
>       last known up at 2019-09-25 09:50:30 CEST
>      2019-09-25 20:51:53.001 CEST [1171] LOG:  database system was not
> properly
>       shut down; automatic recovery in progress
>      2019-09-25 20:51:53.011 CEST [1171] LOG:  redo starts at 0/1668238
>      2019-09-25 20:51:53.011 CEST [1171] LOG:  invalid record length at
>      0/1668318: wanted 24, got 0
>      2019-09-25 20:51:53.011 CEST [1171] LOG:  redo done at 0/16682E0
>      2019-09-25 20:51:53.043 CEST [1096] LOG:  database system is ready to
>      accept connections
>      2019-09-25 20:51:53.569 CEST [1206] [unknown]@[unknown] LOG:
>   incomplete
>      startup packet
>      2019-09-25 20:56:57.540 CEST [4620] [unknown]@[unknown] LOG:  could
> not
>      accept SSL connection: sslv3 alert bad certificate
>      2019-09-25 20:56:57.543 CEST [4622] [unknown]@[unknown] LOG:  could not
>      accept SSL connection: sslv3 alert bad certificate
>      2019-09-25 20:56:57.544 CEST [4623] [unknown]@[unknown] LOG:  could
> not
>      accept SSL connection: sslv3 alert bad certificate
>

Aargh, I missed the part above.

What happens if you remove the sslmode=verify-full from the *.yaml file?

>
>      And this is the db's configuration in (base) marco@pc:~$ nano
> ./fabric/fabric-ca/fabric-ca-
>      server-config.yaml :
>
>      db:
>        type: postgres
>        datasource: host=localhost port=5433 user=fabmnet_admin
> password=pwd dbname=fabmnetdb
>      sslmode=verify-full
>
>
> How to correctly set up SSL connection to PostgresSQL-11 db?
>
> Looking forward to your kind help
> Marco


--
Adrian Klaver
adrian.klaver@aklaver.com

Hi Marco

not necessarily with PG but with all other servers i secure when i see that error
it means the certificate and key your provider is referencing are already stored in storage (in my case "truststore")
I would clean all storage locations of certificate and key
then I would allow BCCSP provider to push your cert and key into stores (identified by BCCSP config)

if that doesnt work I would disable hardcoded BCCSP Provider then manually import your certs and keys into your truststore

YMMV
martin

---

From: Marco Ippolito <ippolito.marco@gmail.com>
Sent: Wednesday, September 25, 2019 3:34 PM
To: pgsql-general@lists.postgresql.org <pgsql-general@lists.postgresql.org>
Subject: could not accept SSL connection: sslv3 alert bad certificate

 

Following the indications here: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#configuring-the-database I'm trying to understand how to correctly set Fabric-CA with a PostgreSQL-11 database in Ubuntu 18.04.02 Server Edition.
 
I created a postgresql-11 db to which I can connect with SSL:
 
    (base) marco@pc:~$ psql --cluster 11/fabmnet -h 127.0.0.1 -d fabmnetdb -U fabmnet_admin
    Password for user fabmnet_admin:
    psql (11.5 (Ubuntu 11.5-1.pgdg18.04+1))
    SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
    Type "help" for help.

    fabmnetdb=> \l
                                    List of databases
       Name    |     Owner     | Encoding | Collate |  Ctype  |   Access privileges  
    -----------+---------------+----------+---------+---------+-----------------------
     fabmnetdb | fabmnet_admin | UTF8     | C.UTF-8 | C.UTF-8 |
     postgres  | postgres      | UTF8     | C.UTF-8 | C.UTF-8 |
     template0 | postgres      | UTF8     | C.UTF-8 | C.UTF-8 | =c/postgres          +
               |               |          |         |         | postgres=CTc/postgres
     template1 | postgres      | UTF8     | C.UTF-8 | C.UTF-8 | =c/postgres          +
               |               |          |         |         | postgres=CTc/postgres
    (4 rows)

    fabmnetdb=>
 

but when trying to start a fabric-ca-server :

    (base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server start -b
    admin:adminpw
    2019/09/25 20:56:57 [INFO] Configuration file location: /home/marco/fabric
    /fabric-ca/fabric-ca-server-config.yaml
    2019/09/25 20:56:57 [INFO] Starting server in home directory: /home/marco
    /fabric/fabric-ca
    2019/09/25 20:56:57 [INFO] Server Version: 1.4.4
    2019/09/25 20:56:57 [INFO] Server Levels: &{Identity:2 Affiliation:1
    Certificate:1 Credential:1 RAInfo:1 Nonce:1}
    2019/09/25 20:56:57 [INFO] The CA key and certificate already exist
    2019/09/25 20:56:57 [INFO] The key is stored by BCCSP provider 'SW'
    2019/09/25 20:56:57 [INFO] The certificate is at: /home/marco/fabric
    /fabric-ca/ca-cert.pem
    2019/09/25 20:56:57 [WARNING] Failed to connect to database 'fabmnetdb'
    2019/09/25 20:56:57 [WARNING] Failed to connect to database 'postgres'
    2019/09/25 20:56:57 [WARNING] Failed to connect to database 'template1'
    2019/09/25 20:56:57 [ERROR] Error occurred initializing database: Failed
    to connect to Postgres database. Postgres requires connecting to a
    specific database, the following databases were tried: [fabmnetdb postgres
     template1]. Please create one of these database before continuing
    2019/09/25 20:56:57 [INFO] Home directory for default CA: /home/marco
    /fabric/fabric-ca
    2019/09/25 20:56:57 [INFO] Operation Server Listening on 127.0.0.1:9443
    2019/09/25 20:56:57 [INFO] Listening on http://0.0.0.0:7054

This is the corresponding part in /var/log/postgresql/postgresql-11-fabmnet.log :

    2019-09-25 20:51:52.655 CEST [1096] LOG:  listening on IPv6 address "::1",
    port 5433
    2019-09-25 20:51:52.673 CEST [1096] LOG:  listening on IPv4 address
    "127.0.0.1", port 5433
    2019-09-25 20:51:52.701 CEST [1096] LOG:  listening on Unix socket
    "/var/run/postgresql/.s.PGSQL.5433"
    2019-09-25 20:51:52.912 CEST [1171] LOG:  database system was interrupted;
     last known up at 2019-09-25 09:50:30 CEST
    2019-09-25 20:51:53.001 CEST [1171] LOG:  database system was not properly
     shut down; automatic recovery in progress
    2019-09-25 20:51:53.011 CEST [1171] LOG:  redo starts at 0/1668238
    2019-09-25 20:51:53.011 CEST [1171] LOG:  invalid record length at
    0/1668318: wanted 24, got 0
    2019-09-25 20:51:53.011 CEST [1171] LOG:  redo done at 0/16682E0
    2019-09-25 20:51:53.043 CEST [1096] LOG:  database system is ready to
    accept connections
    2019-09-25 20:51:53.569 CEST [1206] [unknown]@[unknown] LOG:  incomplete
    startup packet
    2019-09-25 20:56:57.540 CEST [4620] [unknown]@[unknown] LOG:  could not
    accept SSL connection: sslv3 alert bad certificate
    2019-09-25 20:56:57.543 CEST [4622] [unknown]@[unknown] LOG:  could not
    accept SSL connection: sslv3 alert bad certificate
    2019-09-25 20:56:57.544 CEST [4623] [unknown]@[unknown] LOG:  could not
    accept SSL connection: sslv3 alert bad certificate

   
This is how I set the pg_hba.conf file in the fabmnet postgresql cluster :
 
    (base) marco@pc:~$ sudo -su postgres
    (base) postgres@pc:~$ nano /etc/postgresql/11/fabmnet/pg_hba.conf
    Unable to create directory /home/marco/.local/share/nano/: Permission denied
    It is required for saving/loading search history or cursor positions.

    Press Enter to continue
 
    # TYPE  DATABASE        USER            ADDRESS                 METHOD

    # Database administrative login by Unix domain socket
    local   all             postgres                                peer

    # TYPE  DATABASE        USER            ADDRESS                 METHOD

    # "local" is for Unix domain socket connections only
    local   all             all                                     peer
    # IPv4 local connections:
    host    all             all             127.0.0.1/32            md5

    # Allow connections from 10.1.2.0/24 subnet only to fabric_ca_db for fabric_ca_user
    hostssl fabmnetdb    fabmnet_admin      10.1.2.0/24             cert

    # IPv6 local connections:
    host    all             all             ::1/128                 md5
    # Allow replication connections from localhost, by a user with the
    # replication privilege.
    local   replication     all                                     peer
    host    replication     all             127.0.0.1/32            md5
    host    replication     all             ::1/128                 md5
 
    And this is the db's configuration in (base) marco@pc:~$ nano ./fabric/fabric-ca/fabric-ca-
    server-config.yaml :
 
    db:
      type: postgres
      datasource: host=localhost port=5433 user=fabmnet_admin password=pwd dbname=fabmnetdb    
    sslmode=verify-full
 

How to correctly set up SSL connection to PostgresSQL-11 db?

Looking forward to your kind help
Marco

On 9/26/19 7:21 AM, Marco Ippolito wrote:
> In order to restart from a clean situation and configuration, I removed
> the previous fabric-ca folder, created a new one, and then initiated the
> fabric-ca-server. With the default SQLite everything seem working fine.
> But one I try to use the PostgreSQL-11 db I created before, errors appear:
>
> |(base)marco@pc:~/fabric$rm -rf fabric-ca (base)marco@pc:~/fabric$mkdir
> fabric-ca (base)marco@pc:~/fabric$cd
> fabric-ca/(base)marco@pc:~/fabric/fabric-ca$fabric-ca-server init -b
> admin:adminpw (base)marco@pc:~/fabric/fabric-ca$fabric-ca-server start-b
> admin:adminpw 2019/09/2615:48:54[INFO]Created defaultconfiguration
> fileat /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
> 2019/09/2615:48:54[INFO]Starting server inhome
> directory:/home/marco/fabric/fabric-ca 2019/09/2615:48:54[INFO]Server
> Version:1.4.42019/09/2615:48:54[INFO]Server
> Levels:&{Identity:2Affiliation:1Certificate:1Credential:1RAInfo:1Nonce:1}2019/09/2615:48:54[WARNING]&{69The
> specified CA certificate file/home/marco/fabric/fabric-ca/ca-cert.pem
> does notexist}2019/09/2615:48:54[INFO]generating key:&{A:ecdsa
> S:256}2019/09/2615:48:54[INFO]encoded CSR 2019/09/2615:48:54[INFO]signed
> certificate withserial number
> 1625953039820960683388734809875126848203422536642019/09/2615:48:54[INFO]The
> CA keyandcertificate were generated forCA 2019/09/2615:48:54[INFO]The
> keywas stored byBCCSP provider 'SW'2019/09/2615:48:54[INFO]The
> certificate isat:/home/marco/fabric /fabric-ca/ca-cert.pem
> 2019/09/2615:48:54[INFO]Initialized sqlite3 databaseat /home/marco
> /fabric/fabric-ca/fabric-ca-server.db 2019/09/2615:48:54[INFO]The issuer
> keywas successfully stored.The
> publickeyisat:/home/marco/fabric/fabric-ca/IssuerPublicKey,secret
> keyisat:/home/marco/fabric/fabric-ca/msp/keystore/IssuerSecretKey
> 2019/09/2615:48:54[INFO]Idemix issuer revocation publicandsecret keys
> were generated forCA ''2019/09/2615:48:54[INFO]The revocation keywas
> successfully stored.The publickeyisat:/home/marco/fabric/fabric-
> ca/IssuerRevocationPublicKey,private keyisat:/home/marco/fabric
> /fabric-ca/msp/keystore/IssuerRevocationPrivateKey
> 2019/09/2615:48:54[INFO]Home directory fordefaultCA:/home/marco
> /fabric/fabric-ca 2019/09/2615:48:54[INFO]Operation Server Listening
> on127.0.0.1:94432019/09/2615:48:54[INFO]Listening onhttp://0.0.0.0:7054|
>
> I set the brand-new fabric-ca-server-config.yaml in this way:
>
> |#db:#type:sqlite3 #datasource:fabric-ca-server.db #tls:#enabled:false
> #certfiles:#client:#certfile:#keyfile:db:type:postgres
> datasource:host=localhost port=5433user=fabmnet_admin password=password
> dbname=fabmnetdb sslmode=verify-full|

Shouldn't the TLS info also be there for the Postgres datasource:

https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#postgresql

As to below, you will not get logs as you are never connecting to the
database. Those errors get sent to the console.

You are fighting two issues, role permissions and SSL certs. I would
deal with one a time. Drop the SSL requirement until you can verify a
connection and database creation. Then deal with the SSL issues.

>
> and in /etc/postgresql/11/fabmnet/postgresql.conf :
>
> |ssl =onssl_cert_file
> ='/home/marco/fabric/fabric-ca/ca-cert.pem'ssl_key_file
> ='/home/marco/fabric/fabric-ca/msp/keystore /IssuerSecretKey'|
>
> After systemctl restart postgresql, I tried to start the fabric-ca-server:
>
> |(base)marco@pc:~/fabric/fabric-ca$fabric-ca-server start-b
> admin:adminpw 2019/09/2615:56:50[INFO]Configuration
> filelocation:/home/marco /fabric/fabric-ca/fabric-ca-server-config.yaml
> 2019/09/2615:56:50[INFO]Starting server inhome
> directory:/home/marco/fabric/fabric-ca 2019/09/2615:56:50[INFO]Server
> Version:1.4.42019/09/2615:56:50[INFO]Server
> Levels:&{Identity:2Affiliation:1Certificate:1Credential:1RAInfo:1Nonce:1}2019/09/2615:56:50[INFO]The
> CA keyandcertificate already exist 2019/09/2615:56:50[INFO]The
> keyisstored byBCCSP provider 'SW'2019/09/2615:56:50[INFO]The certificate
> isat:/home/marco/fabric /fabric-ca/ca-cert.pem
> 2019/09/2615:56:50[WARNING]Failed
> toconnecttodatabase'fabmnetdb'2019/09/2615:56:50[WARNING]Failed
> toconnecttodatabase'postgres'2019/09/2615:56:50[WARNING]Failed
> toconnecttodatabase'template1'2019/09/2615:56:50[ERROR]Error occurred
> initializing database:Failed toconnecttoPostgres database.Postgres
> requires connecting toa specific database,the followingdatabases were
> tried:[fabmnetdb postgres template1].Please createone ofthese
> databasebefore continuing 2019/09/2615:56:50[INFO]Home directory
> fordefaultCA:/home/marco /fabric/fabric-ca
> 2019/09/2615:56:50[INFO]Operation Server Listening
> on127.0.0.1:94432019/09/2615:56:50[INFO]Listening onhttp://0.0.0.0:7054|
>
> Before I also removed all the previous content of
> /var/log/postgresql/postgresql-11-fabmnet.log to have a clean situation.
> But strangely now I do not get any new logging information in
> postgresql-11-fabmnet.log
>
> So. I think there must be something to fix in the interface between
> fabric-ca-server and PostgreSQL-11 db. In fabric-ca-server-config.yaml,
> in postgresql.conf, in both or somewhere else.
>
>
>
>
>
>
>



--
Adrian Klaver
adrian.klaver@aklaver.com

Hi,

On Thu, 2019-09-26 at 16:21 +0200, Marco Ippolito wrote:
>
> db:
>   type: postgres
>   datasource: host=localhost port=5433 user=fabmnet_admin   
>   password=password dbname=fabmnetdb sslmode=verify-full
>

>
> (base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server start -b
> admin:adminpw
> 2019/09/26 15:56:50 [INFO] Configuration file location: /home/marco
> /fabric/fabric-ca/fabric-ca-server-config.yaml
> 2019/09/26 15:56:50 [INFO] Starting server in home directory:
> /home/marco/fabric/fabric-ca
> 2019/09/26 15:56:50 [INFO] Server Version: 1.4.4
> 2019/09/26 15:56:50 [INFO] Server Levels: &{Identity:2 Affiliation:1
> Certificate:1 Credential:1 RAInfo:1 Nonce:1}
> 2019/09/26 15:56:50 [INFO] The CA key and certificate already exist
> 2019/09/26 15:56:50 [INFO] The key is stored by BCCSP provider 'SW'
> 2019/09/26 15:56:50 [INFO] The certificate is at: /home/marco/fabric
> /fabric-ca/ca-cert.pem
> 2019/09/26 15:56:50 [WARNING] Failed to connect to database
> 'fabmnetdb'
> 2019/09/26 15:56:50 [WARNING] Failed to connect to database
> 'postgres'
> 2019/09/26 15:56:50 [WARNING] Failed to connect to database
> 'template1'
> 2019/09/26 15:56:50 [ERROR] Error occurred initializing database:
> Failed
> to connect to Postgres database. Postgres requires connecting to a
> specific database, the following databases were tried: [fabmnetdb
> postgres template1]. Please create one of these database before
> continuing


Why is it trying to connect to *any* database?

In the fabric-ca docs it shows the connection string as a single line
but your configuration file has it split over two lines.
My uneducated guess is that it is ignoring the 'password=password
dbname=fabmnetdb sslmode=verify-full'
line and thus unable to connect to fabmnetdb.

Cheers,
Robert

        Marco Ippolito wrote:

> (base) postgres@pc:~$ psql --cluster 11/fabmnet -h localhost
> Password for user postgres:
> psql: FATAL:  password authentication failed for user "postgres"
> FATAL:  password authentication failed for user "postgres"

Did you set a password for the postgres user in that newly created
cluster?
If not, try psql --cluster 11/fabmnet (without -h localhost),
it should connect you without a password,
then set a password with the \password command in psql,
then try again with -h localhost.


Best regards,
--
Daniel Vérité
PostgreSQL-powered mailer: http://www.manitou-mail.org
Twitter: @DanielVerite

On 9/27/19 5:58 AM, Marco Ippolito wrote:
> Thanks Daniel.
> After adding the password, now ssh connection to the cluster fabmnet works:

You might want to take a look at:

https://help.ubuntu.com/lts/serverguide/postgresql.html


> And may be the fact the it's compulsory to add a password is testified
> also by the fact that changing the ownership of the database while
> adding a password, lets connect with ssh to the database:

First it is SSL.
Second password and SSL are two different things. This is covered in the
auth file pg_hba.conf:

https://www.postgresql.org/docs/11/auth-pg-hba-conf.html

What you are seeing below is dependent on whether you connect using a
host(-h localhost) or a socket(no -h). That behavior is in turn
determined by the settings in pg_hba.conf.

Also to help down the road when you are setting up the fabric-ca server
you need to remember you are now running two Postgres servers:

Ver Cluster Port Status Owner    Data directory                 Log file
11  fabmnet 5433 online postgres /var/lib/postgresql/11/fabmnet
/var/log/postgresql/postgresql-11-fabmnet.log
11  main    5432 online postgres /var/lib/postgresql/11/main
/var/log/postgresql/postgresql-11-main.log

The most important part is that the fabric server needs to connect to
the one using port 5433.  FYI, this also means that it is not necesssary
to use the --cluster option to psql. Just set the appropriate port -p
5432 for maon and -p 5433 for fabmnet.

More below.
>
> postgres=# CREATE USER fabmnet_admin;
> CREATE ROLE
> postgres=# ALTER USER fabmnet_admin WITH PASSWORD 'A';
> ALTER ROLE
>
> postgres=# ALTER DATABASE fabmnet_ca OWNER TO fabmnet_admin;
> ALTER DATABASE
> postgres=# \l
>                                   List of databases
>      Name    |     Owner     | Encoding | Collate |  Ctype  |   Access
> privileges
> ------------+---------------+----------+---------+---------+-----------------------
>   fabmnet_ca | fabmnet_admin | UTF8     | C.UTF-8 | C.UTF-8 |
>   postgres   | postgres      | UTF8     | C.UTF-8 | C.UTF-8 |
>   template0  | postgres      | UTF8     | C.UTF-8 | C.UTF-8 |
> =c/postgres          +
>              |               |          |         |         |
> postgres=CTc/postgres
>   template1  | postgres      | UTF8     | C.UTF-8 | C.UTF-8 |
> =c/postgres          +
>              |               |          |         |         |
> postgres=CTc/postgres
> (4 rows)
>
> (base) postgres@pc:~$ psql -h localhost --cluster 11/fabmnet
> Password for user postgres:
> psql: FATAL:  password authentication failed for user "postgres"
> FATAL:  password authentication failed for user "postgres"

This failed because you did not specify a database or username, so by
default psql used the system user(postgres) as the database name and the
user name. I'm guesing you do not have a password set up for the
postgres user yet. Pretty sure if you left off the -h localhost you
would have connected as Ubuntu sets up trust authentication for postgres
user on local socket.

> (base) postgres@pc:~$ psql -h localhost --cluster 11/fabmnet -d
> fabmnet_ca -U fabmnet_admin
> Password for user fabmnet_admin:
> psql (11.5 (Ubuntu 11.5-1.pgdg18.04+1))
> SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits:
> 256, compression: off)
> Type "help" for help.
> fabmnet_ca=>
>
>
> Now I have to fix the interface between fabric-ca and postgresql-11 on
> both sides. And I will let you know how it is going
>
> Marco
>
> Il giorno ven 27 set 2019 alle ore 13:34 Daniel Verite
> <daniel@manitou-mail.org <mailto:daniel@manitou-mail.org>> ha scritto:
>
>              Marco Ippolito wrote:
>
>      > (base) postgres@pc:~$ psql --cluster 11/fabmnet -h localhost
>      > Password for user postgres:
>      > psql: FATAL:  password authentication failed for user "postgres"
>      > FATAL:  password authentication failed for user "postgres"
>
>     Did you set a password for the postgres user in that newly created
>     cluster?
>     If not, try psql --cluster 11/fabmnet (without -h localhost),
>     it should connect you without a password,
>     then set a password with the \password command in psql,
>     then try again with -h localhost.
>
>
>     Best regards,
>     --
>     Daniel Vérité
>     PostgreSQL-powered mailer: http://www.manitou-mail.org
>     Twitter: @DanielVerite
>


--
Adrian Klaver
adrian.klaver@aklaver.com

Hi Adrian,

thanks to your kind explanation I discovered that I can connect to the db without explicitly calling the belonging cluster:

(base) postgres@pc:~$ psql -p5433 -d fabmnet_ca
psql (11.5 (Ubuntu 11.5-1.pgdg18.04+1))
Type "help" for help.

fabmnet_ca=# \conninfo
You are connected to database "fabmnet_ca" as user "postgres" via socket in "/var/run/postgresql" at port "5433".
fabmnet_ca=# \l
                              List of databases
    Name    |  Owner   | Encoding | Collate |  Ctype  |   Access privileges  
------------+----------+----------+---------+---------+-----------------------
 fabmnet_ca | postgres | UTF8     | C.UTF-8 | C.UTF-8 |
 postgres   | postgres | UTF8     | C.UTF-8 | C.UTF-8 |
 template0  | postgres | UTF8     | C.UTF-8 | C.UTF-8 | =c/postgres          +
            |          |          |         |         | postgres=CTc/postgres
 template1  | postgres | UTF8     | C.UTF-8 | C.UTF-8 | =c/postgres          +
            |          |          |         |         | postgres=CTc/postgres
(4 rows)

Now I have to understand how to "tranfer" this ssh-capability to connect with the fabmnet_ca db of cluster fabmnet without explicitly call the cluster to the fabric-ca-server :

This is what I set in fabric-ca-server-config.yaml :

#db:
#  type: sqlite3
#  datasource: fabric-ca-server.db
#  tls:
#      enabled: false
#      certfiles:
#      client:
#        certfile:
#        keyfile:


db:
  type: postgres
  datasource: host=localhost port=5433 user=postgres password=pwd dbname=fabmnet_ca sslmode=verify-full
  tls:
      enabled: false
      certfiles:
      client:
        certfile:
        keyfile:

Initializing the fabric-ca-server gives "Failed to connect to Postgres database" and in postgresql-11-fabmnet.log : sslv3 alert bad certificate

(base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server init -b admin:adminpw
2019/09/27 17:07:27 [INFO] Configuration file location: /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
2019/09/27 17:07:27 [INFO] Server Version: 1.4.4
2019/09/27 17:07:27 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/09/27 17:07:27 [INFO] The CA key and certificate already exist
2019/09/27 17:07:27 [INFO] The key is stored by BCCSP provider 'SW'
2019/09/27 17:07:27 [INFO] The certificate is at: /home/marco/fabric/fabric-ca/ca-cert.pem
2019/09/27 17:07:27 [WARNING] Failed to connect to database 'fabmnet_ca'
2019/09/27 17:07:27 [WARNING] Failed to connect to database 'postgres'
2019/09/27 17:07:27 [WARNING] Failed to connect to database 'template1'
2019/09/27 17:07:27 [ERROR] Error occurred initializing database: Failed to connect to Postgres database. Postgres requires connecting to a specific database, the following databases were tried: [fabmnet_ca postgres template1]. Please create one of these database before continuing
2019/09/27 17:07:27 [INFO] Home directory for default CA: /home/marco/fabric/fabric-ca
2019/09/27 17:07:27 [INFO] Initialization was successful

/var/log/postgresql/postgresql-11-fabmnet.log : 2019-09-27 17:07:27.159 CEST [6626] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate

Why it says "sslv3 alert bad certificate" if it's exactly the same certificate used when connecting to the same database with ssl in postgres environment as shown above?

Marco

Il giorno ven 27 set 2019 alle ore 16:38 Adrian Klaver <adrian.klaver@aklaver.com> ha scritto:

On 9/27/19 5:58 AM, Marco Ippolito wrote:
> Thanks Daniel.
> After adding the password, now ssh connection to the cluster fabmnet works:

You might want to take a look at:

https://help.ubuntu.com/lts/serverguide/postgresql.html


> And may be the fact the it's compulsory to add a password is testified
> also by the fact that changing the ownership of the database while
> adding a password, lets connect with ssh to the database:

First it is SSL.
Second password and SSL are two different things. This is covered in the
auth file pg_hba.conf:

https://www.postgresql.org/docs/11/auth-pg-hba-conf.html

What you are seeing below is dependent on whether you connect using a
host(-h localhost) or a socket(no -h). That behavior is in turn
determined by the settings in pg_hba.conf.

Also to help down the road when you are setting up the fabric-ca server
you need to remember you are now running two Postgres servers:

Ver Cluster Port Status Owner    Data directory                 Log file
11  fabmnet 5433 online postgres /var/lib/postgresql/11/fabmnet
/var/log/postgresql/postgresql-11-fabmnet.log
11  main    5432 online postgres /var/lib/postgresql/11/main
/var/log/postgresql/postgresql-11-main.log

The most important part is that the fabric server needs to connect to
the one using port 5433.  FYI, this also means that it is not necesssary
to use the --cluster option to psql. Just set the appropriate port -p
5432 for maon and -p 5433 for fabmnet.

More below.
>
> postgres=# CREATE USER fabmnet_admin;
> CREATE ROLE
> postgres=# ALTER USER fabmnet_admin WITH PASSWORD 'A';
> ALTER ROLE
>
> postgres=# ALTER DATABASE fabmnet_ca OWNER TO fabmnet_admin;
> ALTER DATABASE
> postgres=# \l
>                                   List of databases
>      Name    |     Owner     | Encoding | Collate |  Ctype  |   Access
> privileges
> ------------+---------------+----------+---------+---------+-----------------------
>   fabmnet_ca | fabmnet_admin | UTF8     | C.UTF-8 | C.UTF-8 |
>   postgres   | postgres      | UTF8     | C.UTF-8 | C.UTF-8 |
>   template0  | postgres      | UTF8     | C.UTF-8 | C.UTF-8 |
> =c/postgres          +
>              |               |          |         |         |
> postgres=CTc/postgres
>   template1  | postgres      | UTF8     | C.UTF-8 | C.UTF-8 |
> =c/postgres          +
>              |               |          |         |         |
> postgres=CTc/postgres
> (4 rows)
>
> (base) postgres@pc:~$ psql -h localhost --cluster 11/fabmnet
> Password for user postgres:
> psql: FATAL:  password authentication failed for user "postgres"
> FATAL:  password authentication failed for user "postgres"

This failed because you did not specify a database or username, so by
default psql used the system user(postgres) as the database name and the
user name. I'm guesing you do not have a password set up for the
postgres user yet. Pretty sure if you left off the -h localhost you
would have connected as Ubuntu sets up trust authentication for postgres
user on local socket.

> (base) postgres@pc:~$ psql -h localhost --cluster 11/fabmnet -d
> fabmnet_ca -U fabmnet_admin
> Password for user fabmnet_admin:
> psql (11.5 (Ubuntu 11.5-1.pgdg18.04+1))
> SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits:
> 256, compression: off)
> Type "help" for help.
> fabmnet_ca=>
>
>
> Now I have to fix the interface between fabric-ca and postgresql-11 on
> both sides. And I will let you know how it is going
>
> Marco
>
> Il giorno ven 27 set 2019 alle ore 13:34 Daniel Verite
> <daniel@manitou-mail.org <mailto:daniel@manitou-mail.org>> ha scritto:
>
>              Marco Ippolito wrote:
>
>      > (base) postgres@pc:~$ psql --cluster 11/fabmnet -h localhost
>      > Password for user postgres:
>      > psql: FATAL:  password authentication failed for user "postgres"
>      > FATAL:  password authentication failed for user "postgres"
>
>     Did you set a password for the postgres user in that newly created
>     cluster?
>     If not, try psql --cluster 11/fabmnet (without -h localhost),
>     it should connect you without a password,
>     then set a password with the \password command in psql,
>     then try again with -h localhost.
>
>
>     Best regards,
>     --
>     Daniel Vérité
>     PostgreSQL-powered mailer: http://www.manitou-mail.org
>     Twitter: @DanielVerite
>


--
Adrian Klaver
adrian.klaver@aklaver.com

On 9/27/19 8:20 AM, Marco Ippolito wrote:
> Correction of my previous email :
>
> This is the correct ssl connection, not the one before via socket:

A tip, when troubleshooting be as explicit as possible in your command
line usage. So for below explicitly state the -d postgres -U postgres.
This will save you issues with default values and environment values
that you don't know about changing the command. This is not the issue
here, just a heads up for future use.

More below.

>
> (base) postgres@pc:~$ psql -p5433 -h localhost
> Password for user postgres:
> psql (11.5 (Ubuntu 11.5-1.pgdg18.04+1))
> SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits:
> 256, compression: off)

> fabmnet_ca=#
>
> Anyway, I'm still struggling in understanding how to configure the ssh
> connection of fabric-ca-server to fabmnet_ca database:
>
> This is what I set in fabric-ca-server-config.yaml :
>
> #db:
> #  type: sqlite3
> #  datasource: fabric-ca-server.db
> #  tls:
> #      enabled: false
> #      certfiles:
> #      client:
> #        certfile:
> #        keyfile:
>
>
> db:
>    type: postgres
>    datasource: host=localhost port=5433 user=postgres password=pwd
> dbname=fabmnet_ca sslmode=verify-full

For now I would drop the sslmode or set it to require.
If I am following correctly, if you are cert authentication with fabric-ca:

https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#postgresql

Then you need to fill in the certfile(s) sections. I know you have
tls.enabled: false. I think that the server is taking the datasource as
priority and trying a verify-full without the necessary cert
information. That is why I suggested backing off on the SSL requirements
to see if you can make a connection. For what the sslmode options means
go here:

https://www.postgresql.org/docs/11/libpq-connect.html#LIBPQ-PARAMKEYWORDS

and search in page for sslmode.

Plan B would be to fill in the certfile(s) information.

As to your question below as to why the psql connection works. You are
not specifying an sslmode to the connection so it defaults to a sslmode of:

prefer (default)

     first try an SSL connection; if that fails, try a non-SSL connection

There is no cert authentication going on in that case, so you connect.
The connection is done using SSL, it just does not verify the cert.



>    tls:
>        enabled: false
>        certfiles:
>        client:
>          certfile:
>          keyfile:
>
> Initializing the fabric-ca-server gives "Failed to connect to Postgres
> database" and in postgresql-11-fabmnet.log : sslv3 alert bad certificate
>
> (base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server init -b admin:adminpw
> 2019/09/27 17:07:27 [INFO] Configuration file location:
> /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
> 2019/09/27 17:07:27 [INFO] Server Version: 1.4.4
> 2019/09/27 17:07:27 [INFO] Server Levels: &{Identity:2 Affiliation:1
> Certificate:1 Credential:1 RAInfo:1 Nonce:1}
> 2019/09/27 17:07:27 [INFO] The CA key and certificate already exist
> 2019/09/27 17:07:27 [INFO] The key is stored by BCCSP provider 'SW'
> 2019/09/27 17:07:27 [INFO] The certificate is at:
> /home/marco/fabric/fabric-ca/ca-cert.pem
> 2019/09/27 17:07:27 [WARNING] Failed to connect to database 'fabmnet_ca'
> 2019/09/27 17:07:27 [WARNING] Failed to connect to database 'postgres'
> 2019/09/27 17:07:27 [WARNING] Failed to connect to database 'template1'
> 2019/09/27 17:07:27 [ERROR] Error occurred initializing database: Failed
> to connect to Postgres database. Postgres requires connecting to a
> specific database, the following databases were tried: [fabmnet_ca
> postgres template1]. Please create one of these database before continuing
> 2019/09/27 17:07:27 [INFO] Home directory for default CA:
> /home/marco/fabric/fabric-ca
> 2019/09/27 17:07:27 [INFO] Initialization was successful
>
> /var/log/postgresql/postgresql-11-fabmnet.log : 2019-09-27 17:07:27.159
> CEST [6626] [unknown]@[unknown] LOG:  could not accept SSL connection:
> sslv3 alert bad certificate
>
> Why it says "sslv3 alert bad certificate" if it's exactly the same
> certificate used when connecting to the same database with ssl in
> postgres environment as shown above?
>
> Marco

--
Adrian Klaver
adrian.klaver@aklaver.com

Thank you very much Adrian.

Two things:

1)

 Why if I just specify through port the cluster and the host connection I connect correctly with SSL,

 but if I specify also the database and the user it connects it doesn't usel SSL connection, or at least it doesn't say it uses SSL? :

(base) postgres@pc:~$ psql -p5433 -h localhost
Password for user postgres:
psql (11.5 (Ubuntu 11.5-1.pgdg18.04+1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

postgres=# \conninfo
You are connected to database "postgres" as user "postgres" on host "localhost" at port "5433".
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)

(base) postgres@pc:~$ psql -p5433 -h localhost -d fabmnet_ca -U postgres
Password for user postgres:
psql (11.5 (Ubuntu 11.5-1.pgdg18.04+1))
Type "help" for help.

fabmnet_ca=# \conninfo
You are connected to database "fabmnet_ca" as user "postgres" on host "localhost" at port "5433".
fabmnet_ca=#

2)

In fabric-ca-server-config.yaml 

  a) if I set:

    db:
      type: postgres
      datasource: host=localhost port=5433 user=postgres password=1234 dbname=fabmnet_ca sslmode=allow
      tls:
          enabled: false
          certfiles:
          client:
            certfile:
            keyfile:

    where sslmode=allow means "first try a non-SSL connection; if that fails, try an SSL connection"

    (base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server init -b admin:adminpw
    2019/09/27 19:37:46 [INFO] Configuration file location: /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
    2019/09/27 19:37:46 [INFO] Server Version: 1.4.4
    2019/09/27 19:37:46 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
    2019/09/27 19:37:46 [INFO] The CA key and certificate already exist
    2019/09/27 19:37:46 [INFO] The key is stored by BCCSP provider 'SW'
    2019/09/27 19:37:46 [INFO] The certificate is at: /home/marco/fabric/fabric-ca/ca-cert.pem
    2019/09/27 19:37:46 [WARNING] Failed to connect to database 'fabmnet_ca'
    2019/09/27 19:37:46 [WARNING] Failed to connect to database 'postgres'
    2019/09/27 19:37:46 [WARNING] Failed to connect to database 'template1'
    2019/09/27 19:37:46 [ERROR] Error occurred initializing database: Failed to connect to Postgres database. Postgres requires connecting to a specific database, the following databases

    were tried: [fabmnet_ca postgres template1]. Please create one of these database before continuing
    2019/09/27 19:37:46 [INFO] Home directory for default CA: /home/marco/fabric/fabric-ca
    2019/09/27 19:37:46 [INFO] Initialization was successful

    /var/log/postgresql/postgresql-11-fabmnet.log  :

        2019-09-27 19:43:14.194 CEST [3213] postgres@fabmnet_ca FATAL:  client certificates can only be checked if a root certificate store is available

  b) if I set:

    db:
      type: postgres
      datasource: host=localhost port=5433 user=postgres password=1234 dbname=fabmnet_ca sslmode=disable
      tls:
        enabled: false
        certfiles:
        client:
          certfile:
          keyfile:

   

     (base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server init -b admin:adminpw
     2019/09/27 19:55:03 [INFO] Configuration file location: /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
    2019/09/27 19:55:03 [INFO] Server Version: 1.4.4
    2019/09/27 19:55:03 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
    2019/09/27 19:55:03 [INFO] The CA key and certificate already exist
    2019/09/27 19:55:03 [INFO] The key is stored by BCCSP provider 'SW'
    2019/09/27 19:55:03 [INFO] The certificate is at: /home/marco/fabric/fabric-ca/ca-cert.pem
    2019/09/27 19:55:03 [INFO] Initialized postgres database at host=localhost port=5433 user=**** password=**** dbname=fabmnet_ca sslmode=disable
    2019/09/27 19:55:03 [INFO] The Idemix issuer public and secret key files already exist
    2019/09/27 19:55:03 [INFO]    secret key file location: /home/marco/fabric/fabric-ca/msp/keystore/IssuerSecretKey
    2019/09/27 19:55:03 [INFO]    public key file location: /home/marco/fabric/fabric-ca/IssuerPublicKey
    2019/09/27 19:55:03 [INFO] The Idemix issuer revocation public and secret key files already exist
    2019/09/27 19:55:03 [INFO]    private key file location: /home/marco/fabric/fabric-ca/msp/keystore/IssuerRevocationPrivateKey
    2019/09/27 19:55:03 [INFO]    public key file location: /home/marco/fabric/fabric-ca/IssuerRevocationPublicKey
    2019/09/27 19:55:03 [INFO] Home directory for default CA: /home/marco/fabric/fabric-ca
    2019/09/27 19:55:03 [INFO] Initialization was successful

    /var/log/postgresql/postgresql-11-fabmnet.log :

        2019-09-27 19:55:03.691 CEST [3313] postgres@fabmnet_ca ERROR:  database "fabmnet_ca" already exists
        2019-09-27 19:55:03.691 CEST [3313] postgres@fabmnet_ca STATEMENT:  CREATE DATABASE fabmnet_ca

    (base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server start -b admin:adminpw
    2019/09/27 19:57:58 [INFO] Configuration file location: /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
    2019/09/27 19:57:58 [INFO] Starting server in home directory: /home/marco/fabric/fabric-ca
    2019/09/27 19:57:58 [INFO] Server Version: 1.4.4
    2019/09/27 19:57:58 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
    2019/09/27 19:57:58 [INFO] The CA key and certificate already exist
    2019/09/27 19:57:58 [INFO] The key is stored by BCCSP provider 'SW'
    2019/09/27 19:57:58 [INFO] The certificate is at: /home/marco/fabric/fabric-ca/ca-cert.pem
    2019/09/27 19:57:58 [INFO] Initialized postgres database at host=localhost port=5433 user=**** password=**** dbname=fabmnet_ca sslmode=disable
    2019/09/27 19:57:58 [INFO] The Idemix issuer public and secret key files already exist
    2019/09/27 19:57:58 [INFO]    secret key file location: /home/marco/fabric/fabric-ca/msp/keystore/IssuerSecretKey
    2019/09/27 19:57:58 [INFO]    public key file location: /home/marco/fabric/fabric-ca/IssuerPublicKey
    2019/09/27 19:57:58 [INFO] The Idemix issuer revocation public and secret key files already exist
    2019/09/27 19:57:58 [INFO]    private key file location: /home/marco/fabric/fabric-ca/msp/keystore/IssuerRevocationPrivateKey
    2019/09/27 19:57:58 [INFO]    public key file location: /home/marco/fabric/fabric-ca/IssuerRevocationPublicKey
    2019/09/27 19:57:58 [INFO] Home directory for default CA: /home/marco/fabric/fabric-ca
    2019/09/27 19:57:58 [INFO] Operation Server Listening on 127.0.0.1:9443
    2019/09/27 19:57:58 [INFO] Listening on http://0.0.0.0:7054

Does it mean that in order to use postgresql-11 with fabric-ca I have to use only socket connection?

And if this is the case, why?

Marco

Il giorno ven 27 set 2019 alle ore 18:37 Adrian Klaver <adrian.klaver@aklaver.com> ha scritto:

On 9/27/19 8:20 AM, Marco Ippolito wrote:
> Correction of my previous email :
>
> This is the correct ssl connection, not the one before via socket:

A tip, when troubleshooting be as explicit as possible in your command
line usage. So for below explicitly state the -d postgres -U postgres.
This will save you issues with default values and environment values
that you don't know about changing the command. This is not the issue
here, just a heads up for future use.

More below.

>
> (base) postgres@pc:~$ psql -p5433 -h localhost
> Password for user postgres:
> psql (11.5 (Ubuntu 11.5-1.pgdg18.04+1))
> SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits:
> 256, compression: off)

> fabmnet_ca=#
>
> Anyway, I'm still struggling in understanding how to configure the ssh
> connection of fabric-ca-server to fabmnet_ca database:
>
> This is what I set in fabric-ca-server-config.yaml :
>
> #db:
> #  type: sqlite3
> #  datasource: fabric-ca-server.db
> #  tls:
> #      enabled: false
> #      certfiles:
> #      client:
> #        certfile:
> #        keyfile:
>
>
> db:
>    type: postgres
>    datasource: host=localhost port=5433 user=postgres password=pwd
> dbname=fabmnet_ca sslmode=verify-full

For now I would drop the sslmode or set it to require.
If I am following correctly, if you are cert authentication with fabric-ca:

https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#postgresql

Then you need to fill in the certfile(s) sections. I know you have
tls.enabled: false. I think that the server is taking the datasource as
priority and trying a verify-full without the necessary cert
information. That is why I suggested backing off on the SSL requirements
to see if you can make a connection. For what the sslmode options means
go here:

https://www.postgresql.org/docs/11/libpq-connect.html#LIBPQ-PARAMKEYWORDS

and search in page for sslmode.

Plan B would be to fill in the certfile(s) information.

As to your question below as to why the psql connection works. You are
not specifying an sslmode to the connection so it defaults to a sslmode of:

prefer (default)

     first try an SSL connection; if that fails, try a non-SSL connection

There is no cert authentication going on in that case, so you connect.
The connection is done using SSL, it just does not verify the cert.



>    tls:
>        enabled: false
>        certfiles:
>        client:
>          certfile:
>          keyfile:
>
> Initializing the fabric-ca-server gives "Failed to connect to Postgres
> database" and in postgresql-11-fabmnet.log : sslv3 alert bad certificate
>
> (base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server init -b admin:adminpw
> 2019/09/27 17:07:27 [INFO] Configuration file location:
> /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
> 2019/09/27 17:07:27 [INFO] Server Version: 1.4.4
> 2019/09/27 17:07:27 [INFO] Server Levels: &{Identity:2 Affiliation:1
> Certificate:1 Credential:1 RAInfo:1 Nonce:1}
> 2019/09/27 17:07:27 [INFO] The CA key and certificate already exist
> 2019/09/27 17:07:27 [INFO] The key is stored by BCCSP provider 'SW'
> 2019/09/27 17:07:27 [INFO] The certificate is at:
> /home/marco/fabric/fabric-ca/ca-cert.pem
> 2019/09/27 17:07:27 [WARNING] Failed to connect to database 'fabmnet_ca'
> 2019/09/27 17:07:27 [WARNING] Failed to connect to database 'postgres'
> 2019/09/27 17:07:27 [WARNING] Failed to connect to database 'template1'
> 2019/09/27 17:07:27 [ERROR] Error occurred initializing database: Failed
> to connect to Postgres database. Postgres requires connecting to a
> specific database, the following databases were tried: [fabmnet_ca
> postgres template1]. Please create one of these database before continuing
> 2019/09/27 17:07:27 [INFO] Home directory for default CA:
> /home/marco/fabric/fabric-ca
> 2019/09/27 17:07:27 [INFO] Initialization was successful
>
> /var/log/postgresql/postgresql-11-fabmnet.log : 2019-09-27 17:07:27.159
> CEST [6626] [unknown]@[unknown] LOG:  could not accept SSL connection:
> sslv3 alert bad certificate
>
> Why it says "sslv3 alert bad certificate" if it's exactly the same
> certificate used when connecting to the same database with ssl in
> postgres environment as shown above?
>
> Marco

--
Adrian Klaver
adrian.klaver@aklaver.com

On 9/28/19 12:07 AM, Marco Ippolito wrote:
> Hi Adrian,
>
> Il giorno ven 27 set 2019 alle ore 21:39 Adrian Klaver
> <adrian.klaver@aklaver.com <mailto:adrian.klaver@aklaver.com>> ha scritto:
>
>     On 9/27/19 11:02 AM, Marco Ippolito wrote:
>      > Thank you very much Adrian.
>      > Two things:
>      >
>      > 1)
>      >   Why if I just specify through port the cluster and the host
>     connection
>      > I connect correctly with SSL,
>      >   but if I specify also the database and the user it connects it
>     doesn't
>      > usel SSL connection, or at least it doesn't say it uses SSL? :
>
>
>     Can you show the contents of  pg_hba.conf file for the 11/fabmnet
>     cluster. The file will be in:
>
>     /etc/postgresql/11/fabmnet/
>
>
>
>
> /etc/postgresql/11/fabmnet/pg_hba.conf  :
>
> # Database administrative login by Unix domain socket
> local   all             postgres                                peer
>
> # TYPE  DATABASE        USER            ADDRESS                 METHOD
>
> # "local" is for Unix domain socket connections only
> local   all             all                                     peer
> # IPv4 local connections:
> host    all             all 127.0.0.1/32 <http://127.0.0.1/32>           
>   md5
>
> # Allow connections from localhost only to fabmnet_ca for postgres user
> hostssl fabmnet_ca      postgres        localhost               cert
>
> # IPv6 local connections:
> host    all             all             ::1/128                 md5
> # Allow replication connections from localhost, by a user with the
> # replication privilege.
> local   replication     all                                     peer
> host    replication     all 127.0.0.1/32 <http://127.0.0.1/32>           
>   md5
> host    replication     all             ::1/128                 md5
>

> fabric-ca-server-config.yaml : sslmode=require
> db:
>    type: postgres
>    datasource: host=localhost port=5433 user=postgres password=1234
> dbname=fabmnet_ca sslmode=require
>    tls:
>        enabled: false
>        certfiles:
>        client:
>          certfile:
>          keyfile:

You are not including the certs or setting tls.enabled: true. Not sure
that is the root cause at the moment.

I would try just going through psql for the time being to take the
fabric server out of the loop. Something like:

psql "host=localhost port=5433 dbname=fabmnet_ca user=postgres
sslmode=require"

 From below I am guessing you do not have the SSL certs setup properly
for the fabmnet Postgres instance(the one on port 5433) and/or on the
client. Take a look at:

https://www.postgresql.org/docs/11/libpq-ssl.html

>
>
> (base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server init -b admin:adminpw
> 2019/09/28 09:00:08 [INFO] Configuration file location:
> /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
> 2019/09/28 09:00:08 [INFO] Server Version: 1.4.4
> 2019/09/28 09:00:08 [INFO] Server Levels: &{Identity:2 Affiliation:1
> Certificate:1 Credential:1 RAInfo:1 Nonce:1}
> 2019/09/28 09:00:08 [INFO] The CA key and certificate already exist
> 2019/09/28 09:00:08 [INFO] The key is stored by BCCSP provider 'SW'
> 2019/09/28 09:00:08 [INFO] The certificate is at:
> /home/marco/fabric/fabric-ca/ca-cert.pem
> 2019/09/28 09:00:08 [WARNING] Failed to connect to database 'fabmnet_ca'
> 2019/09/28 09:00:08 [ERROR] Error occurred initializing database: Failed
> to create Postgres tables: Error creating users table: pq: client
> certificates can only be checked if a root certificate store is available
> 2019/09/28 09:00:08 [INFO] Home directory for default CA:
> /home/marco/fabric/fabric-ca
> 2019/09/28 09:00:08 [INFO] Initialization was successful
>
>
> /var/log/postgresql/postgresql-11-fabmnet.log  :
>
> 2019-09-28 09:00:08.634 CEST [4226] postgres@fabmnet_ca FATAL:  client
> certificates can only be checked if a root certificate store is available
> 2019-09-28 09:00:08.641 CEST [4227] postgres@postgres ERROR:  database
> "fabmnet_ca" already exists
> 2019-09-28 09:00:08.641 CEST [4227] postgres@postgres STATEMENT:  CREATE
> DATABASE fabmnet_ca
> 2019-09-28 09:00:08.644 CEST [4228] postgres@fabmnet_ca FATAL:  client
> certificates can only be checked if a root certificate store is available
> 2019-09-28 09:00:08.650 CEST [4227] postgres@postgres LOG:  could not
> receive data from client: Connection reset by peer
>


--
Adrian Klaver
adrian.klaver@aklaver.com