Skip to content

Instantly share code, notes, and snippets.

@mrw34
Last active October 16, 2024 22:51
Show Gist options
  • Save mrw34/c97bb03ea1054afb551886ffc8b63c3b to your computer and use it in GitHub Desktop.
Save mrw34/c97bb03ea1054afb551886ffc8b63c3b to your computer and use it in GitHub Desktop.
Enabling SSL for PostgreSQL in Docker
#!/bin/bash
set -euo pipefail
openssl req -new -text -passout pass:abcd -subj /CN=localhost -out server.req -keyout privkey.pem
openssl rsa -in privkey.pem -passin pass:abcd -out server.key
openssl req -x509 -in server.req -text -key server.key -out server.crt
chmod 600 server.key
test $(uname -s) = Linux && chown 70 server.key
docker run -d --name postgres -e POSTGRES_HOST_AUTH_METHOD=trust -v "$(pwd)/server.crt:/var/lib/postgresql/server.crt:ro" -v "$(pwd)/server.key:/var/lib/postgresql/server.key:ro" postgres:12-alpine -c ssl=on -c ssl_cert_file=/var/lib/postgresql/server.crt -c ssl_key_file=/var/lib/postgresql/server.key
sleep 1
docker run --rm -it --link postgres postgres:12-alpine psql -h postgres -U postgres
@suikast42
Copy link

I also have a bash script that is a wrapper around OpenSSL and makes it easy to generate self-signed certificates (and authorities). The directions here are great, but just thought it could be useful for some others.

look at https://github.com/cloudflare/cfssl ;-)

@suikast42
Copy link

I. I've created a self-contained Docker image that does full certificate automation (including automated renewal) for PostgreSQL 14. S

That's looking very well. As I unterstand, this setup needs a external PKI server, right ?

@tashian
Copy link

tashian commented Nov 11, 2021

@suikast42 Yes, that's true. The self-signed cert that you created in this script will expire after a month. The CA server can renew the certificate. For the CA, you can set up smallstep/certificates open source CA server, or sign up for a hosted CA (it's free for small homelabs).

@suikast42
Copy link

@suikast42 Yes, that's true. The self-signed cert that you created in this script will expire after a month. The CA server can renew the certificate. For the CA, you can set up smallstep/certificates open source CA server, or sign up for a hosted CA (it's free for small homelabs).

Look like cert-manager outside of k8s. Looking good.

@codeninja
Copy link

@Istellway you are a savior. Thank you!

@slidenerd
Copy link

@MahmoudMousaHamad
Copy link

Are the permissions different when using debian-based image?

@Aaqu
Copy link

Aaqu commented Jan 27, 2024

Are the permissions different when using debian-based image?

you found solution?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment