-
-
Save mrw34/c97bb03ea1054afb551886ffc8b63c3b to your computer and use it in GitHub Desktop.
| #!/bin/bash | |
| set -euo pipefail | |
| openssl req -new -text -passout pass:abcd -subj /CN=localhost -out server.req -keyout privkey.pem | |
| openssl rsa -in privkey.pem -passin pass:abcd -out server.key | |
| openssl req -x509 -in server.req -text -key server.key -out server.crt | |
| chmod 600 server.key | |
| test $(uname -s) = Linux && chown 70 server.key | |
| docker run -d --name postgres -e POSTGRES_HOST_AUTH_METHOD=trust -v "$(pwd)/server.crt:/var/lib/postgresql/server.crt:ro" -v "$(pwd)/server.key:/var/lib/postgresql/server.key:ro" postgres:12-alpine -c ssl=on -c ssl_cert_file=/var/lib/postgresql/server.crt -c ssl_key_file=/var/lib/postgresql/server.key | |
| sleep 1 | |
| docker run --rm -it --link postgres postgres:12-alpine psql -h postgres -U postgres |
mkdir -p postgres
docker run -d \
--name postgres \
-v $PWD/postgres:/var/lib/postgresql/data \
-v $PWD/server.crt:/var/lib/postgresql/server.crt \
-v $PWD/server.key:/var/lib/postgresql/server.key \
postgres:9-alpine \
-c ssl=on \
-c ssl_cert_file=/var/lib/postgresql/server.crt \
-c ssl_key_file=/var/lib/postgresql/server.key
Updated for PostgreSQL 11
It was so helpful.
I'm not expert in DB and I have a QQ. I am using Postgres 9.6. After executing above commands I went into my postgres container and saw the postgresql.conf is having "ssl=off" but in postmaster.opts I can see all the variables I passed ie; certs and ssl=on.
Postmaster will make my container ssl enabled even though postgresql.conf has ssl=off?
Is my postgres container still ssl enabled?
@naren-ambati: To verify that your container is SSL-enabled you try connecting with sslmode=require (see here).
Forgot to mention in my last comment, I was using ssl=off, I'm getting below errors when I'm using ssl=on.
FATAL: could not load server certificate file "/var/lib/postgresql/server.test.chain.pem": no start line
LOG: database system is shut down
There shouldn't be any issues with cert as they were automatically created. Also, just to let you know I can't change my owner and group as I don't have enough Permissions.
For your Comment on making sure ssl enabled, I went inside container and tried that but it is saying pqsl command not found. I'm getting all weird issues.
I'm getting "private key file "/var/lib/postgresql/server.key" must be owned by the database user or root"
This helped: https://stackoverflow.com/questions/55072221/deploying-postgresql-docker-with-ssl-certificate-and-key-with-volumes
I'm getting "private key file "/var/lib/postgresql/server.key" must be owned by the database user or root"
This helped: https://stackoverflow.com/questions/55072221/deploying-postgresql-docker-with-ssl-certificate-and-key-with-volumes
Thanks @yegor256 - fixed. Was due to differing file permission propagation in Docker on macOS vs Linux.
Nice gist! Currently the postgres image will exit by default if there's no password set: Error: Database is uninitialized and superuser password is not specified.
Adding -e POSTGRES_PASSWORD=mysecretpassword to the postgres command and -e PGPASSWORD=mysecretpassword to the psql command solves this.
Here's the commit that changed this behaviour: docker-library/postgres@42ce743
@epiccoolguy: Thanks! Fixed by modifying POSTGRES_HOST_AUTH_METHOD (though obviously not recommended in production...).
The vanilla/debian image already include a self-signed SSL cert, so you can do this:
docker run \
--rm \
-e POSTGRES_PASSWORD=password \
postgres:12 \
-c ssl=on \
-c ssl_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem \
-c ssl_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
Thank you all for the reference 🙏
Worked great for me.
One other cosmetic detail for a docker-compose.yml configuration is to break the command into multiple lines for better legibility.
version: "3.8"
services:
postgres:
command: >
-c ssl=on
-c ssl_cert_file=/var/lib/postgresql/server.crt
-c ssl_key_file=/var/lib/postgresql/server.key
...
I also have a bash script that is a wrapper around OpenSSL and makes it easy to generate self-signed certificates (and authorities). The directions here are great, but just thought it could be useful for some others.
Just wanted to share an alternative, in case you are wanting to run TLS on PostgreSQL in production with an internal PKI. I've created a self-contained Docker image that does full certificate automation (including automated renewal) for PostgreSQL 14. See smallstep/docker-tls.
I also have a bash script that is a wrapper around OpenSSL and makes it easy to generate self-signed certificates (and authorities). The directions here are great, but just thought it could be useful for some others.
look at https://github.com/cloudflare/cfssl ;-)
I. I've created a self-contained Docker image that does full certificate automation (including automated renewal) for PostgreSQL 14. S
That's looking very well. As I unterstand, this setup needs a external PKI server, right ?
@suikast42 Yes, that's true. The self-signed cert that you created in this script will expire after a month. The CA server can renew the certificate. For the CA, you can set up smallstep/certificates open source CA server, or sign up for a hosted CA (it's free for small homelabs).
@suikast42 Yes, that's true. The self-signed cert that you created in this script will expire after a month. The CA server can renew the certificate. For the CA, you can set up smallstep/certificates open source CA server, or sign up for a hosted CA (it's free for small homelabs).
Look like cert-manager outside of k8s. Looking good.
@Istellway you are a savior. Thank you!
Are the permissions different when using debian-based image?
Are the permissions different when using debian-based image?
you found solution?
I spent an hour getting this working. I ended up moving the keys outside the data directory. If I don't do this, postgres fails to launch because the data dir is not empty. I'm guessing it is attempting to run initdb on startup. Works with 10.5.
I'm using docker-compose: