I contacted Digital Ocean and was directed to generate a client cert and key to use in concert with the root CA which I downloaded:
openssl req -x509 -newkey rsa:2048 -keyout client-key.pem -out client-cert.pem -days 3650 -nodes -subj ‘/CN=localhost’
Then set the permissions based on these rules:
- Add chmod a=r to:
root.crt and client-cert.pem
- Change the permission and the owner on the key to:
Chmod 0600 client-key.pem
Chown app client-key.pem
-rw------- 1 app app client-key.pem
-r–r–r-- 1 app app client-cert.pem
-r–r–r-- 1 app app root.crt
Then as before, included these three credentials in the environment variables for psql
{“PGSSLROOTCERT”, “/etc/db/root.crt”},
{“PGSSLCERT”, “/etc/db/client-cert.pem”},
{“PGSSLKEY”, “/etc/db/client-key.pem”}
And now the error with sslmode=require is:
SSL error: tlsv1 alert unknown ca
None of this should have even been needed AFAIK, because of the sslmode=require setting, which instructs the handshake to ignore certificate validation.
I feel like sslmode is not been honored when using System.cmd to invoke psql.
Invoking the same command directly on the terminal with only the sslmode specification and no certs works as expected.
Thoughts?
