<div dir="ltr">Tatsuo,<div><br></div><div style>Thanks for your interest. Unfortunately I still get the same result. Relevant config files are:<br><br>pgpool.conf:<br><div>ssl = on</div><div>ssl_key = './server.key'<br>
</div><div>ssl_cert = './server.crt'<br></div><div><br></div><div style>key and cert made by running (as postgres user): <br><div> openssl req -new -text -out server.req (filling out with simple passphrase, and local hostname as name)</div>
<div> openssl rsa -in privkey.pem -out server.key</div><div> rm privkey.pem </div><div> openssl req -x509 -in server.req -text -key server.key -out server.crt</div><div> chmod og-rwx server.key</div></div><div style>
<br></div> server.req and server.crt copied to /etc/pgpool-II and chowned to postgres:postgres<br><br>pool_hba.conf:</div><div style><div>host all all <a href="http://127.0.0.1/32">127.0.0.1/32</a> md5</div>
<div>host all all ::1/128 md5<br></div><div><br></div><div style>pool_passwd updated with postgres user and hash</div><div style><br></div><div style><br></div><div style>pg_hba.conf on server:<br>
hostssl all all <a href="http://192.168.10.0/24">192.168.10.0/24</a> md5<br></div><div style><br></div><div style><br></div><div style>I start pgpool, and there are no warnings in log even with debug set to 4. When I try to connect from localhost (on pgpool machine) I get<br>
<div><br></div><div> psql template1 -h localhost -p9999</div><div> psql: could not connect to server: Connection refused</div><div> Is the server running on host "localhost" (::1) and accepting</div><div>
TCP/IP connections on port 9999?</div><div style>or</div><div style><br></div><div><div> psql template1 -h 127.0.0.1 -p9999</div><div> psql:</div></div><div style>(the console just echoes 'psql' and returns)</div>
<div style><br></div><div style>pgpool.log shows</div><div style><div>2014-05-05 11:49:55 LOG: pid 4474: connection received: host=pgpoolhost port=36970</div><div>2014-05-05 11:49:55 DEBUG: pid 4474: Protocol Major: 1234 Minor: 5679 database: user: </div>
<div>2014-05-05 11:49:55 DEBUG: pid 4474: SSLRequest from client</div><div>2014-05-05 11:49:55 DEBUG: pid 4474: pool_ssl: SSL requested but SSL support is not available</div><div>2014-05-05 11:49:55 DEBUG: pid 4474: read_startup_packet: application_name: psql</div>
<div>2014-05-05 11:49:55 DEBUG: pid 4474: Protocol Major: 3 Minor: 0 database: template1 user: postgres</div><div>2014-05-05 11:49:55 DEBUG: pid 4474: new_connection: connecting 0 backend</div><div>2014-05-05 11:49:55 DEBUG: pid 4474: new_connection: connecting 1 backend</div>
<div>2014-05-05 11:49:55 DEBUG: pid 4474: new_connection: skipping slot 1 because backend_status = 1</div><div>2014-05-05 11:49:55 DEBUG: pid 4474: pool_ssl: SSL requested but SSL support is not available</div><div>2014-05-05 11:49:55 LOG: pid 4474: pool_do_auth: maybe protocol version mismatch (current version 3)</div>
<div>2014-05-05 11:49:55 DEBUG: pid 4474: pool_read_string: read all from pending data. po:1 len:148</div><div><br></div></div><div><br></div></div><div style>Everything works fine when ssl is set to "off" and hostssl is changed to 'host' in pg_hba.conf. <br>
</div><div style><br></div><div style>And SSL connections work fine with identical config files when I use locally-compiled pgpool with ./configure --prefix=/usr --with-openssl --with-pgsql=/usr/pgsql-9.3</div><div><br></div>
Is there anything else I can do to further debug this?<br><br>Thanks,</div><div style><br></div><div style>Rick Morris</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, May 4, 2014 at 7:11 AM, Tatsuo Ishii <span dir="ltr"><<a href="mailto:ishii@postgresql.org" target="_blank">ishii@postgresql.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Rick,<br>
<div class=""><br>
> On more inspection, it appears that even though the pgpool RPM was linked<br>
> to the SSL library when compiled, the --with-openssl directive was not<br>
> enabled. I compiled pgpool from source with the openssl directive, and now<br>
> have no problem with SSL connections.<br>
><br>
> In the future, I hope the PgPool team will consider releasing an<br>
> SSL-enabled RPM for download, as it makes widespread deployment of PgPool<br>
> much easier in an enterprise.<br>
<br>
</div>Sorry for the inconvenience. I have uploaded SSL-enabled RPM.<br>
<br>
<a href="http://www.pgpool.net/mediawiki/index.php/Downloads" target="_blank">http://www.pgpool.net/mediawiki/index.php/Downloads</a><br>
<br>
pgpool-II-pg93-3.3.3-2.pgdg.x86_64.rpm<br>
pgpool-II-pg93-devel-3.3.3-2.pgdg.x86_64.rpm<br>
pgpool-II-pg93-3.3.3-2.pgdg.src.rpm<br>
<br>
Please try.<br>
<br>
Best regards,<br>
--<br>
Tatsuo Ishii<br>
SRA OSS, Inc. Japan<br>
English: <a href="http://www.sraoss.co.jp/index_en.php" target="_blank">http://www.sraoss.co.jp/index_en.php</a><br>
Japanese: <a href="http://www.sraoss.co.jp" target="_blank">http://www.sraoss.co.jp</a><br>
<div><div class="h5"><br>
> Best regards,<br>
><br>
> Rick Morris<br>
><br>
><br>
> On Thu, May 1, 2014 at 4:12 PM, Rick Morris <<a href="mailto:rmorris@kss-inc.com">rmorris@kss-inc.com</a>> wrote:<br>
><br>
>> Hi All,<br>
>><br>
>> I can't get PgPool to support SSL connections, even though I follow the<br>
>> documented steps perfectly.<br>
>><br>
>> Scenario: 2 PostgreSQL servers with streaming replication (primary -><br>
>> standby), PgPool in load-balancing mode. Everything works fine with non-SSL<br>
>> connections.<br>
>><br>
>> 1. In the case of requiring SSL connections from the Postgres servers,<br>
>> connection attempts just fail with "pool_do_auth: maybe protocol version<br>
>> mismatch (current version 3)" while on the server side I see<br>
>><br>
>> "FATAL: no pg_hba.conf entry for host "192.168.10.10", user "postgres",<br>
>> database "template1", SSL off"<br>
>> (connection set to hostssl in pg_hba.conf).<br>
>><br>
>><br>
>> 2. In the case of enabling local SSL connections to PgPool, I configure<br>
>> pgpool.conf with<br>
>><br>
>> ssl = true<br>
>> ssl_key = '/etc/pgpool-II/server.key'<br>
>> ssl_cert = '/etc/pgpool-II/server.crt'<br>
>> (with self-signed cert, same as in the Postgres servers)<br>
>><br>
>> And when I connect locally to PgPool, the log shows<br>
>><br>
>> "pool_ssl: SSL requested but SSL support is not available"<br>
>><br>
>> And when I turn on debugging (set to 1 or 2 in pgpool.conf) I do not see<br>
>> SSL mentioned in the reported config keys during startup.<br>
>><br>
>><br>
>> System: Centos 6.5,<br>
>><br>
>> Installed binaries:<br>
>> pgpool-II-pg93-3.3.3-1.pgdg.x86_64<br>
>> postgresql93.x86_64 9.3.4-1PGDG.rhel6 @pgdg93<br>
>><br>
>> postgresql93-contrib.x86_64<br>
>> postgresql93-libs.x86_64<br>
>><br>
>> Library check:<br>
>> [root@server ~]# ldd /usr/bin/pgpool<br>
>> linux-vdso.so.1 =>(0x00007fff32f1c000)<br>
>> libpq.so.5 => /usr/pgsql-9.3/lib/libpq.so.5 (0x00007f2e121f0000)<br>
>> libpcp.so.0 => /usr/lib64/libpcp.so.0 (0x0000003663c00000)<br>
>> libpthread.so.0 => /lib64/libpthread.so.0 (0x0000003662800000)<br>
>> libpam.so.0 => /lib64/libpam.so.0 (0x0000003667400000)<br>
>> libcrypt.so.1 => /lib64/libcrypt.so.1 (0x0000003664800000)<br>
>> libresolv.so.2 => /lib64/libresolv.so.2 (0x0000003664000000)<br>
>> libnsl.so.1 => /lib64/libnsl.so.1 (0x0000003665400000)<br>
>> libm.so.6 => /lib64/libm.so.6 (0x0000003663000000)<br>
>> libc.so.6 => /lib64/libc.so.6 (0x0000003662400000)<br>
>> libssl.so.10 => /usr/lib64/libssl.so.10 (0x0000003669400000)<br>
>> libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x0000003668400000)<br>
>> libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x0000003668000000)<br>
>> libldap_r-2.4.so.2 => /lib64/libldap_r-2.4.so.2 (0x0000003665000000)<br>
>> /lib64/ld-linux-x86-64.so.2 (0x0000003661c00000)<br>
>> libaudit.so.1 => /lib64/libaudit.so.1 (0x0000003666400000)<br>
>> libdl.so.2 => /lib64/libdl.so.2 (0x0000003662000000)<br>
>> libfreebl3.so => /lib64/libfreebl3.so (0x0000003664c00000)<br>
>> libkrb5.so.3 => /lib64/libkrb5.so.3 (0x0000003668c00000)<br>
>> libcom_err.so.2 => /lib64/libcom_err.so.2 (0x0000003664400000)<br>
>> libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x0000003669000000)<br>
>> libz.so.1 => /lib64/libz.so.1 (0x0000003663400000)<br>
>> libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x0000003668800000)<br>
>> libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x0000003667c00000)<br>
>> liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x0000003669c00000)<br>
>> libssl3.so => /usr/lib64/libssl3.so (0x0000003667000000)<br>
>> libsmime3.so => /usr/lib64/libsmime3.so (0x0000003667800000)<br>
>> libnss3.so => /usr/lib64/libnss3.so (0x0000003665c00000)<br>
>> libnssutil3.so => /usr/lib64/libnssutil3.so (0x0000003665800000)<br>
>> libplds4.so => /lib64/libplds4.so (0x0000003666000000)<br>
>> libplc4.so => /lib64/libplc4.so (0x0000003666800000)<br>
>> libnspr4.so => /lib64/libnspr4.so (0x0000003666c00000)<br>
>> libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x0000003669800000)<br>
>> libselinux.so.1 => /lib64/libselinux.so.1 (0x0000003663800000)<br>
>> librt.so.1 => /lib64/librt.so.1 (0x0000003662c00000)<br>
>><br>
>> PgPool master process<br>
>> /usr/bin/pgpool -f /etc/pgpool-II/pgpool.conf -n<br>
>><br>
>> I am at a loss. Is there anything else I can look for to figure out why<br>
>> SSL is not loading?<br>
>><br>
>> Thanks<br>
>><br>
>> Rick Morris<br>
>><br>
><br>
</div></div>> --<br>
<div class="HOEnZb"><div class="h5">><br>
><br>
><br>
> Confidentiality Statement<br>
> This email and any files transmitted with it are confidential and intended<br>
> solely for the use of the individual or entity to whom they are addressed.<br>
> If you have received this email in error please notify the system manager.<br>
> This message contains confidential information and is intended only for the<br>
> individual named. If you are not the named addressee you should not<br>
> disseminate, distribute or copy this e-mail. Please notify the sender<br>
> immediately by e-mail if you have received this e-mail by mistake and<br>
> delete this e-mail from your system. If you are not the intended recipient<br>
> you are notified that disclosing, copying, distributing or taking any<br>
> action in reliance on the contents of this information is strictly<br>
> prohibited.<br>
> KnowledgeSource, 580 Harrison Ave, Boston MA 02118<br>
><br>
</div></div></blockquote></div><br></div>
<br>
<div align="center"><font face="Verdana" size="2"><br><br><br><font color="gray">Confidentiality Statement<br>This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.<br></font></font></div><font color="gray" size="2"><font color="black">KnowledgeSource, 580 Harrison Ave, Boston MA 02118</font><br></font><br>