pg_basebackup with hostssl ?
I've had a quick glance through the man page for pg_basebackup but can't see any flags to set ssl.
Long story short, I've got the following in pg_hba.conf of the master:
hostssl replication all 10.0.0.0/8 md5
But the slave is complaining:
FATAL: no pg_hba.conf entry for replication connection from host "10.1.2.3", user "myrepl", no encryption
I suspect this is almost certainly because I'm using "hostssl" instead of "host".
But other than the obvious and undesirable quick-fix, how should I be calling pg_basebackup to make sure it uses encryption ?
On 2/2/22 07:48, Laura Smith wrote:
I've had a quick glance through the man page for pg_basebackup but can't see any flags to set ssl.
Long story short, I've got the following in pg_hba.conf of the master:
hostssl replication all 10.0.0.0/8 md5But the slave is complaining:
FATAL: no pg_hba.conf entry for replication connection from host "10.1.2.3", user "myrepl", no encryptionI suspect this is almost certainly because I'm using "hostssl" instead of "host".
But other than the obvious and undesirable quick-fix, how should I be calling pg_basebackup to make sure it uses encryption ?
I am not following. pg_basebackup is a stand alone client that is not
involved in replication other then establishing a starting point from
which to later establish a replication relationship.
The error is saying that whatever instance you are pointing
pg_basebackup at does not have entry in pg_hba.conf for the
host/user/encryption combination pg_basebackup is trying to connect as.
--
Adrian Klaver
adrian.klaver@aklaver.com
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, February 2nd, 2022 at 16:30, Adrian Klaver <adrian.klaver@aklaver.com> wrote:
I am not following. pg_basebackup is a stand alone client that is not
involved in replication other then establishing a starting point from
which to later establish a replication relationship.
Indeed. And that is exactly that I am trying to do (i.e. have master, want new slave).
The error is saying that whatever instance you are pointing
pg_basebackup at does not have entry in pg_hba.conf for the
host/user/encryption combination pg_basebackup is trying to connect as.
But it *DOES* have an entry, per my original message:
"hostssl replication all 10.0.0.0/8 md5"
And yes, that hba is loaded and live because other remote clients are happily connected to that server and thus reliant on a valid hba.conf.
The host is correct. The user is correct.
The point I am making is that pg_basebackup is connecting without encryption and I want to know how to tell it to use encryption. The docs are silent on the subject.
On 2/2/22 08:37, Laura Smith wrote:
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, February 2nd, 2022 at 16:30, Adrian Klaver <adrian.klaver@aklaver.com> wrote:
I am not following. pg_basebackup is a stand alone client that is not
involved in replication other then establishing a starting point from
which to later establish a replication relationship.
Indeed. And that is exactly that I am trying to do (i.e. have master, want new slave).
The error is saying that whatever instance you are pointing
pg_basebackup at does not have entry in pg_hba.conf for the
host/user/encryption combination pg_basebackup is trying to connect as.
But it *DOES* have an entry, per my original message:
"hostssl replication all 10.0.0.0/8 md5"
From the OP:
"
Long story short, I've got the following in pg_hba.conf of the master:
hostssl replication all 10.0.0.0/8 md5
But the slave is complaining:
FATAL: no pg_hba.conf entry for replication connection from host
"10.1.2.3", user "myrepl", no encryption
"
The error is coming from a connection to the slave which does not have
data yet, correct? Or a matching pg_hba.conf entry, it would seem.
And yes, that hba is loaded and live because other remote clients are happily connected to that server and thus reliant on a valid hba.conf.
The host is correct. The user is correct.
The point I am making is that pg_basebackup is connecting without encryption and I want to know how to tell it to use encryption. The docs are silent on the subject.
Not completely:
https://www.postgresql.org/docs/current/app-pgbasebackup.html
-d connstr
--dbname=connstr
Specifies parameters used to connect to the server, as a
<connection string>; these will override any conflicting command line
options.
The option is called --dbname for consistency with other client
applications, but because pg_basebackup doesn't connect to any
particular database in the cluster, any database name in the connection
string will be ignored.
Following the <connection string> link:
https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
You can use that to set sslmode.
--
Adrian Klaver
adrian.klaver@aklaver.com
On Wed, Feb 2, 2022 at 9:37 AM Laura Smith <
n5d9xq3ti233xiyif2vp@protonmail.ch> wrote:
The point I am making is that pg_basebackup is connecting without
encryption and I want to know how to tell it to use encryption. The docs
are silent on the subject.
It is a client application that talks libpq. All of them understand a
common set of environment variables:
https://www.postgresql.org/docs/current/libpq-envars.html
Many of those can also be supplied as part of the connection string. These
include SSL mode control.
The question I would ask is whether psql connects by default using ssl in
the same basic configuration. If so, then the inconsistency amounts to
pg_basebackup having an insecure default connection method while psql has a
secure one.
David J.
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, February 2nd, 2022 at 16:50, Adrian Klaver <adrian.klaver@aklaver.com> wrote:
Not completely:
https://www.postgresql.org/docs/current/app-pgbasebackup.html
-d connstr
--dbname=connstr
Specifies parameters used to connect to the server, as a
<connection string>; these will override any conflicting command line
options.
The option is called --dbname for consistency with other client
applications, but because pg_basebackup doesn't connect to any
particular database in the cluster, any database name in the connection
string will be ignored.
Seems like I was looking for the wrong words on the right page !
Thanks, will try that.
On 2/2/22 09:18, Laura Smith wrote:
Seems like I was looking for the wrong words on the right page !
Thanks, will try that.
Before you do that I would establish that you are connecting to the
correct Postgres instance.
--
Adrian Klaver
adrian.klaver@aklaver.com
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, February 2nd, 2022 at 17:20, Adrian Klaver <adrian.klaver@aklaver.com> wrote:
Before you do that I would establish that you are connecting to the
correct Postgres instance.
Good news, all up and running !
The new "postgresql.auto.conf" automagic is pure awesome. ;-)