Postgresql SSL
I have used certbot to install SSL for the 3 sub domains on my Linode (Django, Apache2). This works OK.
I cannot get Postgresql working with SSL. See russell-clark-linuxvps3.site for the landing page. Click the Django:Blog link.
Any help would be much appreciated.
4 Replies
In looking at https://blog.russell-clark-linuxvps3.site/ I'm seeing this error message:
could not connect to server: Connection refused
Is the server running on host "localhost" (::1) and accepting
TCP/IP connections on port 5432?
Regarding this question, specifically:
Is the server running on host "localhost" (::1) and accepting
TCP/IP connections on port 5432?
I tried making a connection attempt to your port 5432 but it's showing the port as closed, which means that postgresql
isn't running.
dig +short blog.russell-clark-linuxvps3.site
212.71.246.76
nmap -p5432 212.71.246.76
Host is up (0.074s latency).
PORT STATE SERVICE
5432/tcp closed postgresql
To try starting your postgresql
service, run:
sudo systemctl start postgresql
Or
sudo service postgresql start
If you receive any failure messages, I'd check your postgresql
logs as well, to see if that helps guide you in the right direction.
- https://severalnines.com/blog/decoding-postgresql-error-logs
- https://chartio.com/resources/tutorials/how-to-log-queries-in-postgresql/
I hope that helps! Though if there are other folks with more knowledge/experience regarding this, hopefully they can provide more insight.
Unfortunately I am familiar with the error message.
I should add that postgresql.conf is listening to '*'.
In nmap, a closed port means that the port is reachable, but there is no application listening to the port.
Here is postgresql status:
sudo service postgresql status
postgresql.service - PostgreSQL RDBMS
Loaded: loaded (/lib/systemd/system/postgresql.service; enabled; vendor preset: enabled)
Active: active (exited) since Mon 2019-09-30 10:08:42 UTC; 8h ago
Process: 10593 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 10593 (code=exited, status=0/SUCCESS)
Below is ufw status
sudo ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
5432/tcp ALLOW Anywhere
5432 ALLOW 212.71.246.0/24
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
5432/tcp (v6) ALLOW Anywhere (v6)
LATEST
OK we have a little success:
tail /var/log/postgresql/postgresql-11-main.log
pg_ctl: could not start server
Examine the log output.
2019-09-30 18:47:11.773 UTC [15604] FATAL: could not load server certificate file "server.crt": No such file or directory
2019-09-30 18:47:11.773 UTC [15604] LOG: database system is shut down
pg_ctl: could not start server
Examine the log output.
2019-09-30 18:56:45.531 UTC [15690] FATAL: could not load server certificate file "server.crt": No such file or directory
2019-09-30 18:56:45.531 UTC [15690] LOG: database system is shut down
pg_ctl: could not start server
Examine the log output.
@russellclark This error message from your logs indicates that your SSL files are not in the location where PostgreSQL expects it to be:
2019-09-30 18:47:11.773 UTC [15604] FATAL: could not load server certificate file "server.crt": No such file or directory
I'm seeing from PostgreSQL's SSL documentation that it expects certain SSL files located in the $PGDATA directory in order to function. Accordingly, you should be able to copy your Certbot certificate files to $PGDATA, ensuring that they correspond to the filenames set in your postgresql.conf file. Though I haven't tested it out personally, this blog post by Pavel Evstigneev includes some illustrative instructions including those for a Let's Encrypt renewal hook. Note that from my reading of Pavel's guide, a missing required step would be manually executing the renewal script after setting it up — otherwise it will only run it after a successful renewal.
Thanks for all the help. PostGresql is now running OK. However Apache2 is giving a WSGI error message. I will persue this on another day.