Bug #20079

Foreman does not verify CA on postgres DB connections with SSL

Added by Martin Bacovsky 10 months ago. Updated 10 months ago.

Status:Closed
Priority:Normal
Assigned To:Martin Bacovsky
Category:Foreman modules
Target version:Foreman - Team Ivan Iteration 16
Difficulty: Bugzilla link:1052713
Found in release:nightly Pull request:https://github.com/theforeman/puppet-foreman/pull/571
Story points-
Velocity based estimate-
Release1.16.0Release relationshipAuto

Description

The default sslmode is 'prefer' which allows SSL connection to DB server, but CA of the DB server is not verified.

When using --foreman-db-sslmode 'verify-full' to enforce the CA cert verification there is no way to configure the root cert for the connection.
System CA trust is not supported by libpg and the cert is expected at '/usr/share/foreman/.postgresql/root.crt'.

Add an installer option to setup the root cert and consider if 'prefer' is the right and secure default option.


Related issues

Related to Foreman - Bug #22940: foreman-installer does create /usr/share/foreman/.postgre... New 03/20/2018
Blocks Katello - Feature #19667: Need additional supported database deployment options for... Closed 05/25/2017

Associated revisions

Revision a8297636
Added by Martin Bacovsky 10 months ago

Fixes #20079 - SSL secured and verified PGSQL connection

To setup DB with SSL and verification use params:
db_sslmode => 'verify-full',
db_root_cert => 'ca_bundle.pem'

Default DB sslmode is 'prefer' - non-verified SSL with fallback to
non-SSL. To use SSL secured connection with CA verification sslmode
needs to be set to either 'verify-ca' or 'verify-full'. Underlying libpg
uses DB root cert stored at '~/.postgresql/root.crt' which is in case of
Foreman at '/usr/share/foreman/.postgresql/root.crt'. There is no way to
setup different path (besides using env vars). System CA trust is not
supported. The cert needs to be real file as links are not allowed too.

For more details see SSL support in libpg:
https://www.postgresql.org/docs/9.2/static/libpq-ssl.html

History

#1 Updated by Martin Bacovsky 10 months ago

  • Blocks Feature #19667: Need additional supported database deployment options for Katello installation: such as External Postgres added

#2 Updated by Martin Bacovsky 10 months ago

  • Project changed from Katello to Installer
  • Category changed from Installer to Foreman modules
  • Found in release set to nightly

#3 Updated by Martin Bacovsky 10 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#4 Updated by Ales Dujicek about 1 month ago

  • Related to Bug #22940: foreman-installer does create /usr/share/foreman/.postgresql/root.crt added

Also available in: Atom PDF