Hi, I have the following Dockerfile to generate the certs:
FROM golang:1.20-alpine AS builder
RUN set -x && \
apk --no-cache add git gcc libc-dev make && \
# Create postgres user without specific GID/UID
addgroup postgres && \
adduser -S -G postgres postgres
RUN go install github.com/cloudflare/cfssl/cmd/...@latest
WORKDIR /app
COPY docker/volumes/timescaledb/certs/csr_timescaledb.json /app/csr_timescaledb.json
COPY docker/volumes/timescaledb/certs/csr_client.json /app/csr_client.json
COPY docker/volumes/timescaledb/certs/cfssl-config.json /app/cfssl-config.json
# Create directories for certificates
RUN mkdir -p /output && \
chown -R postgres:postgres /output
# Generate CA certificate
RUN cfssl gencert -initca /app/csr_timescaledb.json | cfssljson -bare ca
# Generate server certificate
RUN cfssl gencert \
-ca ca.pem \
-ca-key ca-key.pem \
-config=/app/cfssl-config.json \
/app/csr_timescaledb.json | cfssljson -bare server
# Generate client certificate
RUN cfssl gencert \
-ca ca.pem \
-ca-key ca-key.pem \
-config=/app/cfssl-config.json \
/app/csr_client.json | cfssljson -bare client
# Set proper permissions
RUN chmod 400 ca-key.pem server-key.pem client-key.pem && \
chmod 644 ca.pem server.pem client.pem
# Copy all certificates to output directory
RUN cp ca.pem client.pem client-key.pem server.pem server-key.pem /output/ && \
chmod 600 /output/client-key.pem /output/server-key.pem && \
chmod 644 /output/ca.pem /output/client.pem /output/server.pem && \
chown -R postgres:postgres /output
USER postgres
WORKDIR /app
CMD ["sh", "-c", "cp -v /output/* /certs-output/ && exit 0"]
compare to what I did with just openssl here: https://goteleport.com/blog/securing-postgres-postgresql/ I can make ssl to my postgres instance.
Did I do something wrong? or is there any reason why the format is wrong?
For more contex, I have put question in here: https://dba.stackexchange.com/questions/346355/running-postgresql-container-using-sslmode-verify-full-and-accessing-from-wsl-b?noredirect=1#comment672692_346355
Hi, I have the following Dockerfile to generate the certs:
compare to what I did with just openssl here: https://goteleport.com/blog/securing-postgres-postgresql/ I can make ssl to my postgres instance.
Did I do something wrong? or is there any reason why the format is wrong?
For more contex, I have put question in here: https://dba.stackexchange.com/questions/346355/running-postgresql-container-using-sslmode-verify-full-and-accessing-from-wsl-b?noredirect=1#comment672692_346355