Issue with SSL support in the official docker image

[AndreasMainik]

I have an issue with enabling of SSL support on postgres docker image. The host is Window 10 machine. The following configuration is used in docker-compose.yml.

version: '3.5'
services:
  postgresserver:
    image: postgres:14.5
    container_name: postgresserver 
    ports:
      - "5432:5432"
    environment:
      POSTGRES_PASSWORD: my_password
      PGPORT: 5432
      command: -c ssl=on -c ssl_cert_file=/var/lib/postgresql/server.crt -c ssl_key_file=/var/lib/postgresql/server.key -c ssl_ca_file=/var/lib/postgresql/CA.pem -c clientcert=verify-ca
    volumes:
      - "./certs/myCA.pem:/var/lib/postgresql/CA.pem"
      - "./certs/postgresserver.internal.crt:/var/lib/postgresql/server.crt"
      - "./certs/postgresserver.internal.key:/var/lib/postgresql/server.key"
    networks:
      default:
        aliases:
          - postgresserver.internal
  openssl:
    image: shamelesscookie/openssl:1.1.1
    container_name: openssl
    stdin_open: true
    tty: true
   
networks:
  default:
    name: dummy network
    driver: bridge
    ipam:
      config:
        - subnet: 172.177.0.0/16

The files server.crt, server.key contain the server certificate and the private key signed by my own CA athorities whose certificate is in CA.pem

I have tried to connect using the pre-installed psql-client from Windows PowerShell on host as follows:

& 'C:\Program Files\PostgreSQL\14\bin\psql.exe' "sslmode=require host=localhost port=5432 dbname=test"

This call have produced the following output:

psql: error: connection to server at "localhost" (::1), port 5432 failed: server does not support SSL, but SSL was required

The call without "sslmode=require" switch works like a charm.

I have also tried to use openssl from openssl container as follows:

openssl s_client -starttls postgres -connect postgresserver:5432

This call has produced the following output:

CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 1 bytes and written 8 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

[wglambert]

Your command: line is indented two spaces too far. I also ran into [42] FATAL: unrecognized configuration parameter "clientcert" so I removed that, and I think the server.pem isn't necessary. Also ensure you have proper permissions on the files: server.crt is chmod 777. server.key is chown 999 and chmod 600

$ cat docker-compose.yml
version: '3.5'
services:
  postgresserver:
    image: postgres:14.5
    container_name: postgresserver
    ports:
      - "5432:5432"
    environment:
      POSTGRES_PASSWORD: my_password
      PGPORT: 5432
    command: -c ssl=on -c ssl_cert_file=/var/lib/postgresql/server.crt -c ssl_key_file=/var/lib/postgresql/server.key
    volumes:
      - ./server.crt:/var/lib/postgresql/server.crt
      - ./server.key:/var/lib/postgresql/server.key

$ ls -ln
total 12
-rw-r--r-- 1 1000 1000  444 Aug 22 16:57 docker-compose.yml
-rwxrwxrwx 1    0 1000 1939 Aug 22 16:01 server.crt
-rw------- 1  999  999 3272 Aug 22 16:00 server.key

$ docker-compose up -d
Creating network "postgres_default" with the default driver
Creating postgresserver ... done

$ docker-compose logs | tail -n 10
postgresserver    | server stopped
postgresserver    |
postgresserver    | PostgreSQL init process complete; ready for start up.
postgresserver    |
postgresserver    | 2022-08-22 16:59:21.528 UTC [1] LOG:  starting PostgreSQL 14.5 (Debian 14.5-1.pgdg110+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 10.2.1-6) 10.2.1 20210110, 64-bit
postgresserver    | 2022-08-22 16:59:21.529 UTC [1] LOG:  listening on IPv4 address "0.0.0.0", port 5432
postgresserver    | 2022-08-22 16:59:21.529 UTC [1] LOG:  listening on IPv6 address "::", port 5432
postgresserver    | 2022-08-22 16:59:21.531 UTC [1] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
postgresserver    | 2022-08-22 16:59:21.535 UTC [59] LOG:  database system was shut down at 2022-08-22 16:59:21 UTC
postgresserver    | 2022-08-22 16:59:21.541 UTC [1] LOG:  database system is ready to accept connections

$ docker run -it --network=host --rm postgres bash
root@demo:/# psql "sslmode=require host=localhost user=postgres password=my_password"
psql (14.5 (Debian 14.5-1.pgdg110+1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

postgres=#

[wglambert]

Closing assuming this is resolved