0

I'm trying to set up pgbouncer to require a TLS/SSL connection from the applications connecting to it, but it throws an error "FATAL TLS setup failed: failed to load CA"

This is my pgbouncer.ini:

  [databases]
  * = host=${postgres_host} port=5432
  [pgbouncer]
  # Do not change these settings:
  listen_addr = 0.0.0.0
  auth_file = /etc/pgbouncer/userlist.txt
  auth_type = trust

  client_tls_sslmode = require
  client_tls_key_file = /etc/pgbouncer/server.key
  client_tls_cert_file = /etc/pgbouncer/server.crt

  server_tls_sslmode = verify-ca
  server_tls_ca_file = /etc/root.crt.pem
  
  # These are defaults and can be configured
  # please leave them as defaults if you are
  # uncertain.
  listen_port = 5432
  unix_socket_dir =
  user = postgres
  pool_mode = transaction
  max_client_conn = 100
  ignore_startup_parameters = extra_float_digits
  admin_users = postgres
  # Please add any additional settings below this line

but running it it throws this error, which doesn't seem correct since a CA root file is not needed.

FATAL TLS setup failed: failed to load CA: No such file or directory

p.s. It threw the error also before I had server_tlsmode = verify-ca

Domenico
  • 1
  • Assuming that the certificate files do exist: do the application user have permission to access the files? – Jim Jones Dec 12 '22 at 14:12
  • yes, they have the right permission and are in the /etc/pgbouncer folder – Domenico Dec 12 '22 at 14:48
  • I can't reproduce this error message with those settings. What version of pgbouncer are you using? Can you reproduce this error with the exact ini file you have shown us? – jjanes Dec 12 '22 at 16:39
  • yes, that's the exact one I'm using. There might be something different with the Microsoft docker image I'm using perhaps: mcr.microsoft.com/azure-oss-db-tools/pgbouncer-sidecar. This image is using pgbouncer v 1.13 – Domenico Dec 12 '22 at 16:46
  • Apparently it wants a client_tls_ca_file, even though I agree it shouldn't need one (and doesn't want one in my hands--but I can't get that docker image to do anything so I am using a different one). Try providing one and see what happens. Just point it at /etc/root.crt.pem if you don't have any better ideas. – jjanes Dec 12 '22 at 19:24
  • thank you @jjanes for your help, turns out it was the image's fault. I updated terraform to use bitnami/pgbouncer and set that up the same way and it works flawlessly – Domenico Dec 15 '22 at 10:24

0 Answers0