TLS encrypted PostgreSQL connection not possible

890 views Asked by At

I would like to establish a TLS encrypted connection to a PostgreSQL 11 database using Tokio as the framework, Deadpool as the connection pooler and rustls as TLS library.

I developed/modified the following code:

let pool = if let Some(ca_cert) = settings.db_ca_cert {
    let mut tls_config = ClientConfig::new();
    let cert_file = File::open(&ca_cert)?;
    let mut buf = BufReader::new(cert_file);
    tls_config.root_store.add_pem_file(&mut buf).map_err(|_| {
        anyhow::anyhow!("failed to read database root certificate: {}", ca_cert)
    })?;

    let tls = MakeRustlsConnect::new(tls_config);
    settings.pg.create_pool(tls)?
} else {
    settings.pg.create_pool(NoTls)?
};

My test scenario is taken from here:

  • PostgreSQL 11 docker container (including TLS turned on)
  • TLS was already tested successfully with the psql client

I now get the following error message and can't explain the problem. I already checked the access rights and other parameters.

/usr/local/bin/cargo run --color=always
    Finished dev [unoptimized + debuginfo] target(s) in 0.20s
     Running `target/debug/tokio-postgres-rustls-connection-pool-demo`
 DEBUG tokio_postgres_rustls_connection_pool_demo > settings: Settings { pg: Config { user: Some("postgres"), password: Some("postgres"), dbname: Some("postgres"), options: Some("sslrootcert=/xxx/tokio-postgres-rustls-connection-pool-demo/docker/files/cert/ca.pem"), application_name: None, ssl_mode: None, host: Some("127.0.0.1"), hosts: None, port: Some(6432), ports: None, connect_timeout: None, keepalives: None, keepalives_idle: None, target_session_attrs: None, channel_binding: None, manager: None, pool: None }, db_ca_cert: None }
Error: Backend(Error { kind: Connect, cause: Some(Os { code: 2, kind: NotFound, message: "No such file or directory" }) })

I looked at the logs of the database and could identify the following error:

[86] LOG:  XX000: could not accept SSL connection: Success
[86] LOCATION:  be_tls_open_server, be-secure-openssl.c:408

How can I solve the problem?

0

There are 0 answers