7

I have a postgres docker image that i am using and I am enabling SSL on it. I want it to verify-full because I have a root.crt and want to make sure all the certs that can use SSL are verified. So, in my docker-compose file, i have mounted my server.crt and server.key to /var/ssl and my root.crt to /root/.postgresql.

volumes: - ~/server_certs:/var/ssl - ~/root_certs:/root/.postgresql

and the error i get is

ERROR [2018-07-10 20:28:24,355] org.apache.tomcat.jdbc.pool.ConnectionPool: Unable to create initial connections of pool.
! java.io.FileNotFoundException: /root/.postgresql/root.crt (No such file or directory)
! at java.io.FileInputStream.open0(Native Method)
! at java.io.FileInputStream.open(FileInputStream.java:195)
! at java.io.FileInputStream.<init>(FileInputStream.java:138)
! at java.io.FileInputStream.<init>(FileInputStream.java:93)
! at org.postgresql.ssl.jdbc4.LibPQFactory.<init>(LibPQFactory.java:124)
! ... 32 common frames omitted
! Causing: org.postgresql.util.PSQLException: Could not open SSL root certificate file /root/.postgresql/root.crt.

Any help with getting postgres to find the root.crt would be greatly appreciated (postgres 10 btw)

Pravan Kalaga
  • 71
  • 1
  • 1
  • 3

1 Answers1

16

As a workaround you can add sslmode=require (no certificate validation!) or sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory (validate certificate using JRE trust store) to your JDBC url.

This behavior and the mentioned workaround are described in https://github.com/pgjdbc/pgjdbc/issues/1307

mkobel
  • 346
  • 4
  • 8
  • This is the right answer. The PG JDBC docs don't cover this well. I loaded the certs into the cacerts keystore and wondered why I got this error. Switching the sslfactory was the fix. Thank you. – Ryan J. McDonough Jul 11 '23 at 14:09