无法使用SSL将Corda节点连接到Postgres [英] Unable to connect Corda node to Postgres with SSL

问题描述

我在GCP(Google云平台)中的Postgres数据库仅接受通过SSL的连接.
我在我的 node.conf 中尝试了以下方法，但没有成功:

My Postgres DB in GCP (Google Cloud Platform) only accepts connections over SSL.
I tried the below inside my node.conf without any success:

dataSourceProperties {
    dataSourceClassName = "org.postgresql.ds.PGSimpleDataSource"
    dataSource.url = "jdbc:postgresql://db-private-ip:5432/my_node"
    dataSource.ssl = true
    dataSource.sslMode = verify-ca
    dataSource.sslRootCert = "/opt/corda/db-certs/server-ca.pem"
    dataSource.sslCert = "/opt/corda/db-certs/client-cert.pem"
    dataSource.sslKey = "/opt/corda/db-certs/client-key.pem"
    dataSource.user = my_node_db_user
    dataSource.password = my_pass
}

我确定 node.conf 中的键(sslMode，sslRootCert，sslCert和sslKey)是可接受的(即使在Corda文档中未提及)，因为在日志中我没有收到那些无法识别这些键的错误.
尝试启动节点时出现此错误:

I'm sure that the keys (sslMode, sslRootCert, sslCert, and sslKey) are acceptable in node.conf (even though they are not mentioned anywhere in Corda docs), because in the logs I didn't get any errors that those key are not recognized.
I get this error when I try to start the node:

[ERROR] 21:58:48+0000 [main] pool.HikariPool. - HikariPool-1 - Exception during pool initialization. [errorCode=zmhrwq, moreInformationAt=https://errors.corda.net/OS/4.3/zmhrwq]
[ERROR] 21:58:48+0000 [main] internal.NodeStartupLogging. - Could not connect to the database. Please check your JDBC connection URL, or the connectivity to the database.: Could not connect to the database. Please check your JDBC connection URL, or the connectivity to the database. [errorCode=18t70u2, moreInformationAt=https://errors.corda.net/OS/4.3/18t70u2]

我尝试按照(

I tried adding ?ssl=true to the end of the data source URL as suggested in (Azure Postgres Database requires SSL Connection from Corda) but that didn't fix the problem.

对于相同的值，我还可以使用psql客户端将我的VM连接到数据库:

Also for the same values I'm able to use the psql client to connect my VM to the DB:

psql "sslmode=verify-ca sslrootcert=server-ca.pem sslcert=client-cert.pem sslkey=client-key.pem hostaddr=db-private-ip user=some-user dbname=some-pass"

推荐答案

结果是JDBC驱动程序无法从PEM文件读取密钥，必须使用以下命令将其转换为DER文件:

Turns out the JDBC driver cannot read the key from a PEM file, it has to be converted to a DER file using:

openssl pkcs8 -topk8 -inform PEM -in client-key.pem -outform DER -nocrypt -out client-key.der

chmod 400 client-key.der
chown corda:corda client-key.der

此处有更多详细信息: https://github.com/pgjdbc/pgjdbc/issues/1364

More details here: https://github.com/pgjdbc/pgjdbc/issues/1364

因此正确的配置应如下所示:

So the correct config should look like this:

dataSourceProperties {
    dataSourceClassName = "org.postgresql.ds.PGSimpleDataSource"
    dataSource.url = "jdbc:postgresql://db-private-ip:5432/db-name"
    dataSource.ssl = true
    dataSource.sslMode = verify-ca
    dataSource.sslRootCert = "/opt/corda/db-certs/server-ca.pem"
    dataSource.sslCert = "/opt/corda/db-certs/client-cert.pem"
    dataSource.sslKey = "/opt/corda/db-certs/client-key.der"
    dataSource.user = db-user-name
    dataSource.password = db-user-pass
}

这篇关于无法使用SSL将Corda节点连接到Postgres的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！