cloudbeaver icon indicating copy to clipboard operation
cloudbeaver copied to clipboard

Published 20 hours ago verified publisher icon dbeaver

Issue with connecting to PostgreSQL database by SSL certificate and key

Open ihor-lysukha opened this issue 2 years ago • 4 comments

My GCP PostgreSQL instance requires SSL for the connection. When I define sslmode, sslcert, sslkey and sslrootcert in DRIVER PROPERTIES I got the following error:

Error connecting to database:
Connection failed:
Could not read SSL key file /opt/cloudbeaver/ssl/client/key/client-cert.key.
java.io.IOException: extra data given to DerValue constructor
	at java.base/sun.security.util.DerValue.init(DerValue.java:409)
	at java.base/sun.security.util.DerValue.<init>(DerValue.java:294)
	at java.base/sun.security.util.DerValue.<init>(DerValue.java:305)
	at java.base/javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:87)
	at org.postgresql.ssl.LazyKeyManager.getPrivateKey(LazyKeyManager.java:236)
	at java.base/sun.security.ssl.AbstractKeyManagerWrapper.getPrivateKey(SSLContextImpl.java:1765)
	at java.base/sun.security.ssl.X509Authentication$X509PossessionGenerator.createClientPossession(X509Authentication.java:251)
	at java.base/sun.security.ssl.X509Authentication$X509PossessionGenerator.createPossession(X509Authentication.java:206)
	at java.base/sun.security.ssl.X509Authentication.createPossession(X509Authentication.java:90)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.choosePossession(CertificateMessage.java:1081)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.onProduceCertificate(CertificateMessage.java:1102)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.produce(CertificateMessage.java:958)
	at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436)
	at java.base/sun.security.ssl.Finished$T13FinishedConsumer.onConsumeFinished(Finished.java:1011)
	at java.base/sun.security.ssl.Finished$T13FinishedConsumer.consume(Finished.java:874)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1426)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1336)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:450)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:421)
	at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:41)
	at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:571)
	at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:168)
	at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:235)
	at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
	at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:223)
	at org.postgresql.Driver.makeConnection(Driver.java:400)
	at org.postgresql.Driver.access$100(Driver.java:60)
	at org.postgresql.Driver$ConnectThread.run(Driver.java:310)
	at java.base/java.lang.Thread.run(Thread.java:829)

Certificates and the key are provided in PEM format, access permission of the file with the key was set in 0600 (read-write only for the owner). Could you please clarify what should I configure additionally to establish a working connection to the PostgreSQL database instance?

ihor-lysukha avatar Mar 22 '22 12:03 ihor-lysukha

As far as I can see from the issue Can't connect to PostgreSQL via SSL #2133 PEM certificates and the key must be converted into DER formatted. Am I right?

ihor-lysukha avatar Mar 22 '22 14:03 ihor-lysukha

SSL isn't supported yet. We are going to implement this feature. Thank you for your interest in CloudBeaver.

kseniiaguzeeva avatar Mar 23 '22 12:03 kseniiaguzeeva

Hi @kseniiaguzeeva Actually, I have configured an SSL connection to the PostgreSQL instance with help of this manual and it works. Thank you for the CloudBeaver app!

ihor-lysukha avatar Mar 23 '22 12:03 ihor-lysukha

Great). I hope the UI for SSL will make the connection process easier.

kseniiaguzeeva avatar Mar 23 '22 13:03 kseniiaguzeeva

Hi, I am also interested in this feature as my servers require ssl cert,key,ca for mariadb, mysql, postgres/cockroachdb. @ihor-lysukha can you give some insight as to how you set this up in cloudbeaver?

rsjohn avatar Mar 11 '23 00:03 rsjohn

Hi @rsjohn, In my case, this was resolved by providing SSL certificates and keys in DER format

ihor-lysukha avatar Mar 12 '23 11:03 ihor-lysukha

Hi, @ihor-lysukha The SSL option is now available for establishing connections in MySQL and PostgreSQL in 23.1.4.

EvgeniaBzzz avatar Aug 07 '23 13:08 EvgeniaBzzz

Hi, @ihor-lysukha The SSL option is now available for establishing connections in MySQL and PostgreSQL in 23.1.4.

Hi @EvgeniaBzzz , that's good news, thanks for the notification!

ihor-lysukha avatar Aug 07 '23 14:08 ihor-lysukha