Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

postgres: tls-mode verify-ca does not work correctly (behaves like verify-full) #65816

Closed
tomcastro89 opened this issue Apr 3, 2023 · 9 comments · Fixed by #67372 or #85530
Closed

postgres: tls-mode verify-ca does not work correctly (behaves like verify-full) #65816

tomcastro89 opened this issue Apr 3, 2023 · 9 comments · Fixed by #67372 or #85530
Assignees
@gabor
Labels
datasource/Postgres type/bug

Comments

@tomcastro89
Copy link

tomcastro89 commented Apr 3, 2023
edited by gabor

summary by @gabor : the postgres TLS mode verify-ca does not work correctly, and behaves the same as verify-full. to reproduce: try this scenario: https://github.com/grafana/oss-big-tent-tools/tree/main/tls-setups/postgres#verify-server-cert-ignore-host . it should work, but it does not.

What happened:
Grafana Versions >= 9.4.0 cause the following issues in Panels that use an PostgreSQL (AWS RDS) as Datasource and
the following TLS settings:

Issues

db query error: x509: certificate is valid for <DB instance url>, not <route53 url to db>

db query error: x509: certificate is not valid for any ....

Settings

Host: "insert AWS RDS Postgres Host route53"
Database: "insert DB name"
User+Password
TLS/SSL Mode: verify-ca
TLS/SSL Method: Certificate content
TLS/SSL Root Certificate: "insert official aws rds certificate"

PostgreSQL details
Version: 11

One(the first) certificate out of the official AWS RDS root certificates eu-central-1 bundle is used:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
eu-central-1-bundle.pem

What you expected to happen:
The panels should work in the same way they do in Grafana v9.3.8

How to reproduce it (as minimally and precisely as possible):

  1. Use Grafana v9.3.8
  2. Add an AWS RDS Postgres Database as Datasource incl. the TLS settings above
  3. use a route53 to access the AWS RDS
  4. it should work
  5. upgrade Grafana to a Version >=9.4.0
  6. the issues mentioned above should appear and the panels dont work

Anything else we need to know?:

Environment:

  • Grafana version: >= 9.4.0
  • Data source type & version: PostgreSQL
  • OS Grafana is installed on: Grafana official image deployed as Stateful Set in Openshift
@mellieA mellieA added the triage/needs-confirmation used for OSS triage rotation - reported issue needs to be reproduced label Apr 4, 2023
@idastambuk
Copy link
Contributor

I think this is a ticket for the @grafana/grafana-bi-squad, as it’s a PostgreSQL datasource

@zoltanbedi zoltanbedi added datasource/Postgres needs investigation for unconfirmed bugs. use type/bug for confirmed bugs, even if they "need" more investigating labels Apr 6, 2023
@mymasse mymasse mentioned this issue Apr 20, 2023
Open
@mymasse
Copy link

mymasse commented Apr 21, 2023

Well we just ran into this same type of issue upgrading to Concourse 7.9.1, and after debugging more we think the problem is due to the upgrade of lib/pq to 1.10.7. An issue was raised in lib/pq: lib/pq#1106

@zoltanbedi zoltanbedi mentioned this issue Apr 27, 2023
Merged
@zoltanbedi zoltanbedi added type/bug and removed needs investigation for unconfirmed bugs. use type/bug for confirmed bugs, even if they "need" more investigating triage/needs-confirmation used for OSS triage rotation - reported issue needs to be reproduced labels Apr 27, 2023
@tomcastro89
Copy link
Author

Hi,

the same issue appears now when updating grafana from 10.1.5 to 10.2.0.

Please look into it. Thanks!

@tomcastro89 tomcastro89 mentioned this issue Oct 31, 2023
Closed
@zoltanbedi
Copy link
Member

Thanks for letting us know @tomcastro89. I'm going to reopen this issue.

@zoltanbedi zoltanbedi reopened this Nov 6, 2023
@gabor gabor changed the title Grafana Versions >=9.4.0 cause AWS RDS Datasource TLS Certificate Issues, Version 9.3.8 works fine postgres: tls-mode verify-ca does not work correctly (behaves like verify-full) Nov 7, 2023
@gabor gabor self-assigned this Dec 1, 2023
This was referenced Dec 1, 2023
Closed
Closed
@gabor gabor mentioned this issue Dec 19, 2023
Closed
@gabor gabor mentioned this issue Jan 8, 2024
Closed
@zoltanbedi zoltanbedi mentioned this issue Feb 20, 2024
Merged
@gabor
Copy link
Contributor

gabor commented Feb 28, 2024

fixed in #81353

@gabor gabor closed this as completed Feb 28, 2024
@gabor
Copy link
Contributor

gabor commented Mar 1, 2024

unfortunately we had to revert the fix, has problems in certain corner-cases, so i'll reopen this one too. we'll adjust our fix and do it again.

@gabor gabor reopened this Mar 1, 2024
@papagian papagian mentioned this issue Mar 5, 2024
Merged
3 tasks
@grafana-delivery-bot grafana-delivery-bot bot mentioned this issue Mar 12, 2024
Merged
3 tasks
@papagian papagian mentioned this issue Mar 12, 2024
Merged
3 tasks
@papagian papagian mentioned this issue Mar 12, 2024
Merged
3 tasks
@papagian
Copy link
Contributor

papagian commented Mar 13, 2024
edited

re-opening since #83892 fixes when postgres is used as database backend not as a data source

@papagian papagian reopened this Mar 13, 2024
@zoltanbedi
Copy link
Member

We also fixed it for the Postgres datasource in #83768

@gabor gabor mentioned this issue Apr 3, 2024
Merged
@grafana-delivery-bot grafana-delivery-bot bot mentioned this issue Apr 9, 2024
Merged
@gabor
Copy link
Contributor

gabor commented Apr 9, 2024

fixed again in #85530 ( we had to roll back the previous fix)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gabor gabor

Labels
datasource/Postgres type/bug
Projects
OSS Big Tent
Status: Complete
Milestone
No milestone
7 participants
@gabor @papagian @mymasse @zoltanbedi @idastambuk @mellieA @tomcastro89