Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
J
J
jenya77712022-01-22 22:48:13
PostgreSQL
jenya7771, 2022-01-22 22:48:13

How to connect to postgresql using TLS certificate from java application?

Hello, there is a java spring boot application that should connect via a private network using a tls certificate to a postgresql database on another server.
Certificates are all self-signed which are made by these commands:

how to generate certificates

openssl req -sha256 -new -x509 -days 5475 -nodes -out server-ca.crt -keyout server-ca.key
openssl req -sha256 -new -nodes -subj "/CN=10.0.0.3" -out server.csr -keyout server.key
openssl x509 -req -sha256 -days 5475 -in server.csr -CA server-ca.crt -CAkey server-ca.key -CAcreateserial -out server.crt

openssl req -sha256 -new -x509 -days 5475 -nodes -out client-ca.crt -keyout client-ca.key
openssl req -sha256 -new -nodes -subj "/CN=application" -out client.csr -keyout client.key
openssl x509 -req -sha256 -days 5475 -in client.csr -CA client-ca.crt -CAkey client-ca.key -CAcreateserial -out client.crt



Then from the root certificate of the client and the certificate signed by him, I created a new one:
how to collect the client certificate

cat client-ca.key client.crt > client.full.crt


And add certificates to trustStore:
how to add certificates to trustStore

keytool -keystore cacerts -alias client-full-crt -import -file client.full.crt
keytool -keystore cacerts -alias postgresql-server-crt -import -file server-ca.crt



I convert client.key to client.pk8 based on the documentation:
how to create a key in pk8 format

openssl pkcs8 -topk8 -inform PEM -in client.key -outform DER -out client.pk8 -v1 PBE-MD5-DES



In application.properties I write the config:
app config

spring.datasource.url=jdbc:postgresql://10.0.0.3:5432/application?ssl=true&sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory&sslmode=verify-full&sslcert=/etc/ssl/postgres-client/client.crt&sslkey=/etc/ssl/postgres-client/client.pk8&sslrootcert=/etc/ssl/postgres-client/server-ca.crt

spring.datasource.username=application



And I run:
start app

java -Djavax.net.ssl.trustStore=cacerts -Djavax.net.ssl.trustStorePassword=changeit -jar backend.jar --spring.config.location=application.properties



And when starting the error:
61ec5e6d8f3d8919929769.png

And from the Postgres side:
2022-01-22 19:25:34.344 UTC [324199] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert certificate unknown


Although when I try to connect via psql everything connects fine:
test via psql

psql "host=10.0.0.3 \
      user=application \
      dbname=application \
      sslmode=verify-full \
      sslrootcert=/etc/ssl/postgres-client/server-ca.crt \
      sslcert=/etc/ssl/postgres-client/client.crt \
      sslkey=/etc/ssl/postgres-client/client.key"



Also, when I connect without using a certificate, it also works fine.

And after a lot of hours of work and studying a couple of dozen articles, I could not solve this problem.
Tell me what's wrong, what's the problem?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

0 answer(s)
Similar questions
K
Kordamon2019-11-07 18:48:19
Dropbox: how to unsync for a subfolder? 3Reply
D
dfhkjhg2020-11-29 22:29:31
How to fix error: ambiguous column reference? 2Reply
H
HighMan2020-12-01 18:32:15
Ansible how to write a command loop correctly? 4Reply
A
Andrei1penguin12020-12-02 23:13:04
How to change postgresql port? 1Reply
A
Andrei1penguin12020-12-03 01:53:46
How to properly uninstall postgresql? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question