terraform-provider-postgresql icon indicating copy to clipboard operation
terraform-provider-postgresql copied to clipboard

Published 20 hours ago verified publisher icon cyrilgdn

Connection not working with ssl enforcment enabled on postgresql: wsasend: An existing connection was forcibly closed by the remote host.

Open AurimasNav opened this issue 3 years ago • 0 comments

Terraform Version

Terraform v1.1.6 provider[registry.terraform.io/cyrilgdn/postgresql] >= 1.15.0

Affected Resource(s)

  • all resources

Terraform Configuration Files

provider "postgresql" {
  host             = module.postgresql.postgresql_server.fqdn
  port             = 5432
  database         = module.postgresql.postgresql_database[0].name
  username         = "username@${module.postgresql.postgresql_server.name}"
  sslmode          = "verify-full"
  password         = "password"
  expected_version = "11.0.0"
}

resource "postgresql_role" "usera" {
  name     = "usera"
  login    = true
  roles    = ["azure_ad_user"]
  password = "password"
}

Expected Behavior

role created in postgresql

Actual Behavior

│ Error: could not start transaction: write tcp 172.16.0.4:59515->10.255.32.7:5432: wsasend: An existing connection was forcibly closed by the remote host.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. enable SSL enforcement on postgresql (on azure)
  2. configure provider with sslmode = "verify-full" or require or verify-ca
  3. terraform apply

Important Factoids

This is running on azure, if I disable ssl enforcement on postgresql and set sslmode = "disable" for the provider, then I don't get the connection error.

postgresql is configured with private endpoint.

openssl s_client -starttls postgres -connect redacted-postgresql-name.postgres.database.azure.com:5432
CONNECTED(00000003)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, O = Microsoft Corporation, CN = Microsoft RSA TLS CA 01
verify return:1
depth=0 CN = cr5.westeurope1-a.control.database.windows.net
verify return:1
---
Certificate chain
 0 s:CN = cr5.westeurope1-a.control.database.windows.net
   i:C = US, O = Microsoft Corporation, CN = Microsoft RSA TLS CA 01
 1 s:C = US, O = Microsoft Corporation, CN = Microsoft RSA TLS CA 01
   i:C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIJ3TCCB8WgAwIBAgITEgAgHLemV0NbTNPOngAAACActzANBgkqhkiG9w0BAQsF
ADBPMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u
MSAwHgYDVQQDExdNaWNyb3NvZnQgUlNBIFRMUyBDQSAwMTAeFw0yMjAxMDQxMDAx
MDdaFw0yMzAxMDQxMDAxMDdaMDkxNzA1BgNVBAMTLmNyNS53ZXN0ZXVyb3BlMS1h
LmNvbnRyb2wuZGF0YWJhc2Uud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDQ2c5Y5svHajolQvBLUzPpeja3k+DndHvi20mEXJWHyMjL
AL0zNM+dNSoS4MR0i8/EOH/VQWYnqLQ7MJ7W8Evdb2alJY7LaWNzBwkIgF3+h2hr
aXkPfl5Q1JXkNjt5HfpGBFm9aA2+XM/Nm6QeAJUczW8glrNRPW2hOypgolB24GbQ
O5okgir6EM296p6zhwxqyGgAALyMjaiU0vENCXX41ckGgL1pGp6pgNpccNKdnfY2
szF58/RmUkMBGf60LeY2C75ZZu0Rw4UUTVKSOiDIwYJ0dWy06zb1wUXFjsJPiXnE
e1NFRE4rwx6GU1R0SzMALuAMoGtq7cMjlLgWsRwpAgMBAAGjggXGMIIFwjCCAX8G
CisGAQQB1nkCBAIEggFvBIIBawFpAHcA6D7Q2j71BjUy51covIlryQPTy9ERa+zr
aeF3fW0GvW4AAAF+JJJC4AAABAMASDBGAiEA3FupEKnAoLgyYy/d+BOXxhHYcTwT
y5rIG3dhuyx4bFgCIQDSsxgZfGcoWIyzH9kYyZUhQ6LNWsi+HDBIhHApIsz2BgB2
AFWB1MIWkDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABfiSSRIAAAAQDAEcw
RQIhAIkhJJE1V5Hue6DAZ/qAD03QcTeJZZ13+PvvLQ8ce80rAiB4hAj6etPDaLBd
g1xwOTy3ZqECJgpsgxeV9yC0n9DFXgB2ALNzdwfhhFD4Y4bWBancEQlKeS2xZwwL
h9zwAw55NqWaAAABfiSSRtMAAAQDAEcwRQIgZ/p6SckDylrRY4IbVGe7jFDGABFd
frLyWi6WrJAy0zMCIQDZsjiC+Dniu0iUfEQhex/9akDl+os4bcC7rK9cMdPtQDAn
BgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMBMAoGCCsGAQUFBwMCMD4GCSsGAQQB
gjcVBwQxMC8GJysGAQQBgjcVCIfahnWD7tkBgsmFG4G1nmGF9OtggV2Fho5Bh8KY
UAIBZAIBJzCBhwYIKwYBBQUHAQEEezB5MFMGCCsGAQUFBzAChkdodHRwOi8vd3d3
Lm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9NaWNyb3NvZnQlMjBSU0ElMjBUTFMl
MjBDQSUyMDAxLmNydDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AubXNvY3NwLmNv
bTAdBgNVHQ4EFgQUjC20ZySnN8dRZgEotkRY5GvIaucwDgYDVR0PAQH/BAQDAgSw
MIIBzQYDVR0RBIIBxDCCAcCCLmNyNS53ZXN0ZXVyb3BlMS1hLmNvbnRyb2wuZGF0
YWJhc2Uud2luZG93cy5uZXSCMCouY3I1Lndlc3RldXJvcGUxLWEuY29udHJvbC5k
YXRhYmFzZS53aW5kb3dzLm5ldIIqd2VzdGV1cm9wZTEtYS5jb250cm9sLmRhdGFi
YXNlLndpbmRvd3MubmV0giwqLndlc3RldXJvcGUxLWEuY29udHJvbC5kYXRhYmFz
ZS53aW5kb3dzLm5ldIIWKi5kYXRhYmFzZS53aW5kb3dzLm5ldIIdKi5kYXRhYmFz
ZS5zZWN1cmUud2luZG93cy5uZXSCICouc2Vjb25kYXJ5LmRhdGFiYXNlLndpbmRv
d3MubmV0ghwqLm1hcmlhZGIuZGF0YWJhc2UuYXp1cmUuY29tghoqLm15c3FsLmRh
dGFiYXNlLmF6dXJlLmNvbYIdKi5wb3N0Z3Jlcy5kYXRhYmFzZS5henVyZS5jb22C
GCouc3FsLnByb2plY3RhcmNhZGlhLm5ldIIWKi5zcWwuYXp1cmVzeW5hcHNlLm5l
dIIeKi5zcWwuYXp1cmVzeW5hcHNlLWRvZ2Zvb2QubmV0MIGwBgNVHR8EgagwgaUw
gaKggZ+ggZyGTWh0dHA6Ly9tc2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAv
Y3JsL01pY3Jvc29mdCUyMFJTQSUyMFRMUyUyMENBJTIwMDEuY3JshktodHRwOi8v
Y3JsLm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcmwvTWljcm9zb2Z0JTIwUlNB
JTIwVExTJTIwQ0ElMjAwMS5jcmwwVwYDVR0gBFAwTjBCBgkrBgEEAYI3KgEwNTAz
BggrBgEFBQcCARYnaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAv
Y3BzMAgGBmeBDAECATAfBgNVHSMEGDAWgBS1dgwwEc7HkkJNTMdcLMipDOgLZDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggIB
AKBo2ZOIG/UYXJ8BddI8m24dObB2/hkNgqeKaSVHKVfy9R0ouGo7xnAHmdYVRFxw
BCPd/CmO6YtIERQFKoGy/uPkhMsJdKENYsU4xCGLxxcUTM54zIm6R5aHOZ9MjaER
qaOhx3PBGeX2iB2GQXsZNWNXz9gyWxq9G2LJ2qxynxfxLgchqp2VopoVhLd85Piv
zNSwMeEBTOd6v+geMHDeiT/3DYWebdO8j88Kzk61I/tDs0Oq3BB1uSej4b6ON/Ia
Ia4gYzz/O9KcLcuYeaumF/HYrP45p2FZbs3N7wvpnNYaZhHgb217PkuF/U9ahUvZ
TwakYQHkEtf+B8PTq5n8XwpF123K6+zJFpECXmA138EhrZM/0QlLrDYaqbOupe28
MKV9Ld+MzLrSBGafVyJ8F8Cb8IGodo1r0g2ue2Io2fuuYmi3U4OIkgz4AW7FyK0x
i5cR+rucP2zeuZq+VbQKDHoyhoLezzEFvP6W8bSN9H6fhtBcu/XbQTRNbTv/3MEQ
7pEzZ0d1/9z0rl4hCL/a0aEA17Kasa6SUFf7bTfnHK9OobuQgoKyu5n6jeL1/sou
Vld9QLl3Qb5Y+4Ra14Im7Lc8xidCN03O4b2yKWO5gup7t3Z/4IutXM3riOOk/v7p
6GwjtJSxGuhiFlrdvV8ULjBodeZsYXZWEpPuz9Px5qN5
-----END CERTIFICATE-----
subject=CN = cr5.westeurope1-a.control.database.windows.net

issuer=C = US, O = Microsoft Corporation, CN = Microsoft RSA TLS CA 01

---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 4457 bytes and written 510 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: DE3600007565989DD5EC9C55892BD682FCE92EB389A6D9F37595F16F571E3F45
    Session-ID-ctx:
    Master-Key: 8661F9330481DF564EAD1DE6A12FC5560EF9CF5CAB0658D7EC7ECED349EF9F8296315492F6E7D06E34608DE65781D54F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1646295362
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
read:errno=104

Connections from azure data studio, and from .net code are working fine, the only problem we are experiencing is with the postgresql provider.

AurimasNav avatar Mar 03 '22 09:03 AurimasNav