New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: SSL Validation Error with Diversity - Postgresql starting 2.0.0 #2282
Comments
@cambrosch I think this comes from new SSL requirements in Can you try setting 👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq |
That sadly doesn't work, I can't add it via DOCKER_VERNEMQ_VMQ_DIVERSITY__POSTGRES__CAFILE as that throws an Error generating Config with cuttlefish, and I also can't manually override the config file in the docker container, I tried that in several configurations but if I change it manually, as soon as I restart vernemq it gets overridden, and if I mount a drive to save the config file, it wipes the docker container, and refuses to work for one reason or another. That's a separate issue, but probably not one I can quickly fix :/ |
I think you can mount a 👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq |
@cambrosch do you see the Cuttlefish config error printed to you console when you run the Docker image in the foreground? 👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq |
|
@cambrosch are you able to attach to the container and run 👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq |
Sadly, the container immediately crashes upon getting this message, so I cannot attach a console :/ |
I just tested this with a 👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq |
Ah, I messed that up. I had /etc/ssl mounted for the MQTT TLS certs, so /etc/ssl/certs/ca-certificates.crt didn't even exist. I re-created that now, and now the config at least boots again. Alas, now I'm on to a new error:
|
Argh, now it's a verification error (the client tries to verify the peer), on the level of Erlang SSL. Need to research this but cannot do it immediately. Maybe also some sort of wildcard server name is the issue. 👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq |
I'm now suspecting this is the same as #1485 that we had to fix in the MQTT bridge. Are those wildcard certs? 👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq |
@cambrosch are you still looking into this? is the public cert of the Postgres server a wildcard cert? https://en.wikipedia.org/wiki/Wildcard_certificate 👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq |
The Certificate is using Common Name: removedhash.database.azure.com |
Also>
|
We'll need to bite the bullet and implement more options for all plugins that need outgoing SSL. Those are:
The reason is that OTP 26 defaults to @cambrosch one thing I wonder though: what happens when you set postgres host to an IP address instead of a name (if that's possible for your Azure env). EDIT: just to be clear: it's of course not a bad thing to harden requirements with 👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq |
@ioolkos : I can reproduce this. Azure DB with default microsoft certificates fail as described. Using an IP didn't make any difference. |
@mths1 Thanks for testing! 👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq |
Environment
Current Behavior
Running the exactly identical docker Parameters as from 1.13.0, after upgrading to 2.0.0, vmq diversity cannot connect to our postgresql server via SSL (hosted in Azure), see error in log.
A downgrade back to 1.13.0 with the same parameters fixed the issue. Validating the certificate chain using pgadmin (mode: verify-full) showed no issues with SSL.
Expected behaviour
Connecting to this sql server should not result in a validation error.
Configuration, logs, error output, etc.
Postgre-related docker environment parameters:
Postgresql server is set to:
min SSL version: TLS 1.2
max SSL version TLS 1.3
Code of Conduct
The text was updated successfully, but these errors were encountered: