0

Before involving PgBouncer between my application and PostgreSQL, the pg_hba.conf is like(the reason I configure this is to skip the password typing and does not store the database password in plaintext):

hostssl user db 0.0.0.0/0 cert clientcert=1

I verified the connection via string and it worked fine(navigate to psql command bash without typing password):

psql "host=<database server> dbname=<databasename> user=<user> sslmode=verify-full sslcert=/path/to/client.crt sslrootcert=/path/to/ca.crt sslkey=/path/to/client.key"

Afterwards, I put pgbouncer in between the application and database, the pgbouncer.ini is like:

auth_type = cert
server_tls_sslmode = verify-full
server_tls_ca_file = /path/to/ca.crt
server_tls_key_file = /path/to/server.key
server_tls_cert_file = /path/to/server.crt

client_tls_sslmode = verify-full
client_tls_ca_file = /path/to/ca.crt
client_tls_key_file = /path/to/client.key
clinet_tls_cert_file = /path/to/clinet.crt

It began complaining:

psql: error: FATAL: certificate authentication failed

Since both PostgreSQL and PgBouncer are running in the same server, the server related certs are the same for both pgbouncer and postgresql.

Did I misconfigure something?

Thanks in advance.

joker57
  • 110
  • 7
  • You have shown the error message from psql. What is the error message written into pgbouncer's log? Written into the real server's log (if any)? – jjanes Apr 11 '22 at 17:26
  • Your certs appear to be backwards (as well as misspelled for one case). client_tls_cert_file is the cert to be used when pgbouncer is dealing with the client i.e. acting as the server. While server_tls_cert_file is for dealing with the real server, e.g. acting as the client. – jjanes Apr 11 '22 at 17:40
  • Thanks @jjanes for the tips, once I switched the certs, it is working now. – joker57 Apr 12 '22 at 06:35

0 Answers0