使用Postgresql 11.2进行热备份设置。问题是我们需要在认证过程中使用证书。如果我注释掉备用数据库postgresql.conf中的ssl / certificate行,则会出现相同的错误。因此,我不认为备用数据库正在使用我指定的证书来创建与主服务器的连接。如何告诉Postgresql哪些证书用于传出复制连接?
Master pg_hba.conf:
# PostgreSQL Client Authentication Configuration File
local all all md5
host all all 127.0.0.1/32 md5
host all user fe80::/10 md5
host all all ::1/128 md5
hostssl all user ::/0 cert map=cert
hostssl all user 0.0.0.0/0 cert map=cert
hostssl replication user ::/0 cert map=cert
hostssl replication user 0.0.0.0/0 cert map=cert
Master pg_ident.conf:
cert /^(.*)$ user
Master postgresql.conf:
bytea_output = hex
standard_conforming_strings = on
wal_level = replica
archive_mode = on
max_wal_senders = 5
wal_keep_segments = 32
listen_addresses = '*'
listen_addresses = '*'
ssl = on
ssl_cert_file = '/opt/server/config/Server-signed.crt'
ssl_key_file = '/opt/server/config/Server.key'
ssl_ca_file = '/opt/server/config/master.crt'
备用恢复.conf:
standby_mode = 'on'
primary_conninfo = 'host=example.url.com port=5432 user=user password=NoTThePassword sslmode=require'
restore_command = 'cp /opt/pgsql/data/archive/%f %p'
archive_cleanup_command = 'pg_archivecleanup /opt/pgsql/data/archive %r'
备用postgresql.conf:
bytea_output = hex
standard_conforming_strings = on
wal_level = replica
archive_mode = on
max_wal_senders = 5
wal_keep_segments = 32
listen_addresses = '*'
ssl = on
ssl_cert_file = '/opt/server/config/7/client-7-signed.crt'
ssl_key_file = '/opt/server/config/7/client-7.key'
ssl_ca_file = '/opt/server/config/7/master.crt'
主输出:
2019-11-15 12:23:15.784 CST [28044] LOG: database system is ready to accept connections
2019-11-15 12:23:21.650 CST [28068] FATAL: connection requires a valid client certificate
2019-11-15 12:23:21.670 CST [28069] FATAL: connection requires a valid client certificate
待机输出:
2019-11-15 12:23:21.630 CST [7571] LOG: database system is ready to accept read only connections
2019-11-15 12:23:21.644 CST [7577] FATAL: could not connect to the primary server: FATAL: connection requires a valid client certificate
cp: cannot stat ‘/opt/pgsql/data/archive/000000010000000000000001’: No such file or directory
2019-11-15 12:23:21.664 CST [7579] FATAL: could not connect to the primary server: FATAL: connection requires a valid client certificate
注意:我编辑了日志/配置文件以删除敏感路径/ URL /用户名
您在Standbys recovery.conf的primary_conninfo中设置这些值。
我的头像现在看起来像这样:
primary_conninfo = 'host=example.url.com port=5432 user=user password=NoTThePassword sslmode=require sslcert=/opt/server/config/7/client-7-signed.crt sslkey=/opt/server/config/7/client-7.key sslrootcert=/opt/server/config/7/master.crt'
此处可以记录在primary_conninfo中的所有值:https://www.postgresql.org/docs/9.4/libpq-connect.html#LIBPQ-CONNSTRING
您在备用数据库的postgresql.conf中指定的证书仅用于与备用数据库receives的连接,而不用于与备用数据库makes的连接。
[当备用数据库充当连接主计算机的client时,它将使用在~/.postgresql/
或%APPDATA%\postgresql\
中找到的内容,除非您在连接字符串(如Brinnis建议的那样)或环境中覆盖了这些设置,变量。当然,这里的“〜”是指运行PostgreSQL备用服务器的用户的主目录,通常是名为“ postgres”的用户。