Jira (PDB-5379) Invalid option clientcert=1 with Postgres 14

418 views
Skip to first unread message

Jon-Paul Lindquist (Jira)

unread,
Nov 22, 2021, 6:03:03 PM11/22/21
to puppe...@googlegroups.com
Jon-Paul Lindquist created an issue
 
PuppetDB / Bug PDB-5379
Invalid option clientcert=1 with Postgres 14
Issue Type: Bug Bug
Assignee: Unassigned
Created: 2021/11/22 3:02 PM
Priority: Normal Normal
Reporter: Jon-Paul Lindquist

Who found the bug?

< customer, Puppet employee, or us >

Where was the bug found?

  • System: < cem_linux, cem_windows, internal test environment, internal tooling, docs, etc. >
  • Version: < version of the system >
  • Operating system(s): < list of OS's the bug was discovered on >
  • Puppet version: < if applicable >

What is malfunctioning?

< detailed description of the aberrant behavior including as much specifics as possible >

What does success look like?

< put detailed acceptance criteria here >

How will success be validated?

< put testing plan here. Doesn't need to be overly detailed. For example, the phrases "litmus tests" and "unit tests" are completely valid >

Should anyone be contacted after this is fixed?

< If the bug report came from a customer, a PSE, the support team, etc. put the point of contact here >
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)
Atlassian logo

Jon-Paul Lindquist (Jira)

unread,
Nov 22, 2021, 6:08:03 PM11/22/21
to puppe...@googlegroups.com
Jon-Paul Lindquist updated an issue
Change By: Jon-Paul Lindquist
h2. Who found the bug?

 < customer, Puppet employee, or us > [~jplindquist]
h2. Where was the bug found?
* System: < cem_linux, cem_windows, internal test environment, internal tooling, docs, etc. > Linux
* Version: < version of the system > 7
* Operating system(s): < list of OS's the bug was discovered on > CentOS 7
* Puppet version: < if applicable > 7.7.1-1.el7

h2. What is malfunctioning?

 < detailed description When setting up SSL with Postgres 14 (postgresql_ssl_on: true), the database service fails to start with an invalid option

 
{code:java}
2021-11-22 15:53:59.330 MST [7251] LOG: invalid value for clientcert: "1"
2021-11-22 15:53:59.330 MST [7251] CONTEXT: line 6 of configuration file "/var/lib/pgsql/14/data/pg_hba.conf"
2021-11-22 15:53:59.330 MST [7251] LOG: invalid value for clientcert: "1"
2021-11-22 15:53:59.330 MST [7251] CONTEXT: line 11 of configuration file "/var/lib/pgsql/14/data/pg_hba.conf"
2021-11-22 15:53:59.330 MST [7251] LOG: invalid value for clientcert: "1"
2021-11-22 15:53:59.330 MST [7251] CONTEXT: line 16 of configuration file "/var/lib/pgsql/14/data/pg_hba.conf"
2021-11-22 15:53:59.330 MST [7251] LOG: invalid value for clientcert: "1"
2021-11-22 15:53:59.330 MST [7251] CONTEXT: line 21 of configuration file "/var/lib/pgsql/14/data/pg_hba.conf"
2021-11-22 15:53:59.330 MST [7251] FATAL: could not load pg_hba.conf
2021-11-22 15:53:59.332 MST [7251] LOG: database system is shut down{code}
 

[https://github.com/puppetlabs/puppetlabs-puppetdb/blob/3ea57a587d33e3105962d0e5f4f4b3196feb48c3/manifests/database/postgresql_ssl_rules.pp#L9-L27]

This value clientcert=1 is no longer supported in Postgres 14 (Changelog: [https://www.postgresql.org/docs/release/14.0/)]
* Overhaul the aberrant behavior including as much specifics as possible > specification of {{clientcert}} in [{{pg_hba.conf}}|https://www.postgresql.org/docs/14/auth-pg-hba-conf.html] (Kyotaro Horiguchi)

Values {{1}}/{{0}}/{{no-verify}} are no longer supported; only the strings {{verify-ca}} and {{verify-full}} can be used. Also, disallow {{verify-ca}} if cert authentication is enabled since cert requires {{verify-full}} checking.

 h2. What does success look like?

 < put detailed acceptance criteria here > The PuppetDB module properly handles the new / deprecated setting in newer versions of Postgres.
h2. How will success be validated?


< put testing plan here. Doesn't need to be overly detailed. For example, the phrases "litmus tests" and "unit tests" are completely valid >
h2. Should anyone be contacted after this is fixed?

 < If the bug report came from a customer, a PSE, the support team, etc. put the point of contact here > [~jplindquist]

Jon-Paul Lindquist (Jira)

unread,
Nov 22, 2021, 6:11:01 PM11/22/21
to puppe...@googlegroups.com
Jon-Paul Lindquist updated an issue
h2. Who found the bug?

[~jplindquist]
h2. Where was the bug found?
* System: Linux
* Version: 7
* Operating system(s): CentOS 7
* Puppet version: 7.7.1-1.el7

h2. What is malfunctioning?

When setting up SSL with Postgres 14 (postgresql_ssl_on: true), the database service fails to start with an invalid option

 
{code:java}
2021-11-22 15:53:59.330 MST [7251] LOG: invalid value for clientcert: "1"
2021-11-22 15:53:59.330 MST [7251] CONTEXT: line 6 of configuration file "/var/lib/pgsql/14/data/pg_hba.conf"
2021-11-22 15:53:59.330 MST [7251] LOG: invalid value for clientcert: "1"
2021-11-22 15:53:59.330 MST [7251] CONTEXT: line 11 of configuration file "/var/lib/pgsql/14/data/pg_hba.conf"
2021-11-22 15:53:59.330 MST [7251] LOG: invalid value for clientcert: "1"
2021-11-22 15:53:59.330 MST [7251] CONTEXT: line 16 of configuration file "/var/lib/pgsql/14/data/pg_hba.conf"
2021-11-22 15:53:59.330 MST [7251] LOG: invalid value for clientcert: "1"
2021-11-22 15:53:59.330 MST [7251] CONTEXT: line 21 of configuration file "/var/lib/pgsql/14/data/pg_hba.conf"
2021-11-22 15:53:59.330 MST [7251] FATAL: could not load pg_hba.conf
2021-11-22 15:53:59.332 MST [7251] LOG: database system is shut down{code}
 

[https://github.com/puppetlabs/puppetlabs-puppetdb/blob/3ea57a587d33e3105962d0e5f4f4b3196feb48c3/manifests/database/postgresql_ssl_rules.pp#L9-L27]

This value clientcert=1 is no longer supported in Postgres 14 (Changelog: [https://www.postgresql.org/docs/release/14.0/)]
* Overhaul the specification of {{clientcert}} in [{{pg_hba.conf}}|https://www.postgresql.org/docs/14/auth-pg-hba-conf.html] (Kyotaro Horiguchi)


Values {{1}}/{{0}}/{{no-verify}} are no longer supported; only the strings {{verify-ca}} and {{verify-full}} can be used. Also, disallow {{verify-ca}} if cert authentication is enabled since cert requires {{verify-full}} checking.
h2. What does success look like?

The PuppetDB module properly handles the new / deprecated setting in newer versions of Postgres.
h2. How will success be validated?

< put testing plan here Something along these lines which will setup postgresql 14 with puppetdb and setup the proper connections and maps between them . Doesn

 
{code:java}
class { ' t need to be overly detailed. For example puppetdb':
manage_dbserver     => true , the phrases "litmus tests" and "unit tests" are completely valid
postgres_version    = > '14',
java_args => {
   '-Xmx' => $puppetdb_jvm_heap,
},
disable_cleartext   => true,
ssl_set_cert_paths  => true,
postgresql_ssl_on => true,
database_password => $puppetdb_db_password,
}
{code}
h2. Should anyone be contacted after this is fixed?

[~jplindquist]

Jon-Paul Lindquist (Jira)

unread,
Nov 22, 2021, 6:12:01 PM11/22/21
to puppe...@googlegroups.com
Something along these lines which will setup postgresql 14 with puppetdb and setup the proper connections and maps between them.

 
{code:java}
class { 'puppetdb':
manage_dbserver     => true,

postgres_version    => '14',
java_args => {
   '-Xmx' => $puppetdb_jvm_heap,
},
disable_cleartext   => true,
ssl_set_cert_paths  => true,
postgresql_ssl_on => true,
database_password => $puppetdb_db_password,
}
{code}
h2. Should anyone be contacted after this is fixed?

[~jplindquist]

David McTavish (Jira)

unread,
Feb 10, 2022, 8:25:02 AM2/10/22
to puppe...@googlegroups.com
David McTavish updated an issue
Change By: David McTavish
Sprint: HA 2022-03-02
This message was sent by Atlassian Jira (v8.20.2#820002-sha1:829506d)
Atlassian logo

David McTavish (Jira)

unread,
Feb 10, 2022, 8:25:03 AM2/10/22
to puppe...@googlegroups.com
David McTavish updated an issue
Change By: David McTavish
Sprint: HA 2022-03-02 HAHA On Deck

David McTavish (Jira)

unread,
Feb 10, 2022, 8:25:03 AM2/10/22
to puppe...@googlegroups.com
David McTavish updated an issue
Change By: David McTavish
Epic Link: PE-32590

David McTavish (Jira)

unread,
Feb 10, 2022, 8:26:01 AM2/10/22
to puppe...@googlegroups.com
David McTavish updated an issue
Change By: David McTavish
Labels: low-hanging-fruit

Stel Abrego (Jira)

unread,
Mar 14, 2022, 1:27:03 PM3/14/22
to puppe...@googlegroups.com
Stel Abrego assigned an issue to Stel Abrego
Change By: Stel Abrego
Assignee: Stel Abrego

David Piekny (Jira)

unread,
May 31, 2022, 9:32:02 AM5/31/22
to puppe...@googlegroups.com
David Piekny updated an issue
Change By: David Piekny
Labels: I&M&H-OnDeck low-hanging-fruit

David Piekny (Jira)

unread,
May 31, 2022, 11:33:01 AM5/31/22
to puppe...@googlegroups.com
David Piekny updated an issue
Change By: David Piekny
Sprint: I&M&H On Deck

David Piekny (Jira)

unread,
May 31, 2022, 1:32:01 PM5/31/22
to puppe...@googlegroups.com
David Piekny updated an issue
Change By: David Piekny
Epic Link: PE-32590

David Piekny (Jira)

unread,
May 31, 2022, 1:32:02 PM5/31/22
to puppe...@googlegroups.com
David Piekny updated an issue
Change By: David Piekny
Team: HA Dumpling

David Piekny (Jira)

unread,
May 31, 2022, 1:33:01 PM5/31/22
to puppe...@googlegroups.com
David Piekny commented on Bug PDB-5379
 
Re: Invalid option clientcert=1 with Postgres 14

david.piekny find out which team is looking after this supported module - should not be Dumpling.

Haroon Rafique (Jira)

unread,
Jun 19, 2023, 3:04:02 PM6/19/23
to puppe...@googlegroups.com

From PuppetDB 8 release notes:

PuppetDB 8 recommends PostgreSQL 14 or later in order to take advantage of new features in PostgreSQL.

Also found the following in /var/log/puppetlabs/puppetdb/puppetdb.log:

 ERROR [p.p.c.services] PostgreSQL 11.20 is unsupported. Please upgrade to PostgreSQL 14

Replacing:

clientcert=1

with:

clientcert=verify-full

in pg_hba.conf allows postgresql 14 to come up without any issues.

*no* further _formatting_ is done here

This message was sent by Atlassian Jira (v8.20.21#820021-sha1:38274c8)
Atlassian logo
Reply all
Reply to author
Forward
0 new messages