Lists: | pgsql-hackers |
---|
From: | Thom Brown <thom(at)linux(dot)com> |
---|---|
To: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | SSL key with passphrase |
Date: | 2011-09-13 13:54:23 |
Message-ID: | CAA-aLv5b_jN7ek33kWe+pMJgSfbk70CkMVcgvQ9BSiYyZKkQhw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
Hi,
There appears to be a problem with starting Postgres if the SSL key
has a passphrase on it. The following happens:
Enter PEM pass phrase:
FATAL: could not load private key file "server.key": problems getting password
Starting with "postgres -D /path/to/cluster" returns:
Enter PEM pass phrase:
LOG: database system was shut down at 2011-09-13 13:51:51 BST
LOG: database system is ready to accept connections
LOG: autovacuum launcher started
So the postgres binary accepts stdin, but pg_ctl doesn't. This isn't
an unusual case, so could I request a fix to allow pg_ctl to take
stdin rather than /dev/null?
Thanks
--
Thom Brown
Twitter: @darkixion
IRC (freenode): dark_ixion
Registered Linux user: #516935
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Thom Brown <thom(at)linux(dot)com> |
Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: SSL key with passphrase |
Date: | 2011-09-13 14:17:20 |
Message-ID: | 5181.1315923440@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
Thom Brown <thom(at)linux(dot)com> writes:
> There appears to be a problem with starting Postgres if the SSL key
> has a passphrase on it.
It's documented that that's unsupported. Given the number of ways to
start a postmaster, and the fact that many of them are noninteractive,
I don't think it's very productive for us to worry about it.
regards, tom lane
From: | Thom Brown <thom(at)linux(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: SSL key with passphrase |
Date: | 2011-09-13 14:28:25 |
Message-ID: | CAA-aLv4GFU=G0F9xX0zb_9onwCy9Gt55bBmn1KnBY9estMRMtQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
On 13 September 2011 15:17, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Thom Brown <thom(at)linux(dot)com> writes:
>> There appears to be a problem with starting Postgres if the SSL key
>> has a passphrase on it.
>
> It's documented that that's unsupported. Given the number of ways to
> start a postmaster, and the fact that many of them are noninteractive,
> I don't think it's very productive for us to worry about it.
For reference, could you point me to the page which states this lack
of support? All I could find was a mention that in order to start the
service automatically, you would need to remove the passphrase.
--
Thom Brown
Twitter: @darkixion
IRC (freenode): dark_ixion
Registered Linux user: #516935
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From: | Thom Brown <thom(at)linux(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: SSL key with passphrase |
Date: | 2011-09-14 01:40:15 |
Message-ID: | CAA-aLv4TLRP_xemnsV18kaLBE3tH7BbA-WBxm6CPv_p++zKSrA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
On 13 September 2011 15:17, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Thom Brown <thom(at)linux(dot)com> writes:
>> There appears to be a problem with starting Postgres if the SSL key
>> has a passphrase on it.
>
> It's documented that that's unsupported. Given the number of ways to
> start a postmaster, and the fact that many of them are noninteractive,
> I don't think it's very productive for us to worry about it.
I've managed to get pg_ctl to accept the passphrase with the -w
option. Works fine like that. Since that works, perhaps the page
referring to SSL could mention this.
--
Thom Brown
Twitter: @darkixion
IRC (freenode): dark_ixion
Registered Linux user: #516935
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From: | Bruce Momjian <bruce(at)momjian(dot)us> |
---|---|
To: | Thom Brown <thom(at)linux(dot)com> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: SSL key with passphrase |
Date: | 2012-08-16 00:52:45 |
Message-ID: | 20120816005245.GE8353@momjian.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
On Wed, Sep 14, 2011 at 02:40:15AM +0100, Thom Brown wrote:
> On 13 September 2011 15:17, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > Thom Brown <thom(at)linux(dot)com> writes:
> >> There appears to be a problem with starting Postgres if the SSL key
> >> has a passphrase on it.
> >
> > It's documented that that's unsupported. Given the number of ways to
> > start a postmaster, and the fact that many of them are noninteractive,
> > I don't think it's very productive for us to worry about it.
>
> I've managed to get pg_ctl to accept the passphrase with the -w
> option. Works fine like that. Since that works, perhaps the page
> referring to SSL could mention this.
I have added a documention mention as you suggested for PG 9.3 in the
'-w' option section.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ It's impossible for everything to be true. +
Attachment | Content-Type | Size |
---|---|---|
ssl.diff | text/x-diff | 677 bytes |