I wrote that document, at the time client based certificates weren't really supported or something like that.
Specifically not supporting client auth is hinted in the JDBC driver details here: http://jdbc.postgresql.org/documentation/head/ssl-factory.html I seem to recall there being a problem with the current default SslFactory not allowing this kind of thing easily, but there is an alternate factory one can possibly use: https://github.com/pgjdbc/pgjdbc/blob/master/org/postgresql/ssl/jdbc4/LibPQFactory.java Sorry, the main documentation page doesn't contain details of this class, its fairly unknown to most people - I had to go digging for it in source to find it. This should in theory allow one to provide parameters in the JDBC url to provide a client certificate, but I've never seen it working yet (and we may not even ship a version of the jdbc driver that has this class :-). The parameters gleaned from the source are: sslmode,sslcert,sslkey,sslrootcert,sslhostnameverifier,sslpasswordcallback,sslpassword So you could construct something like: [database] classname = org.postgresql.Driver subprotocol = postgresql subname = //<HOST>:<PORT>/<DATABASE>?ssl=true&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=<whatever>&sslcert=<whatever> ... etc ... username = <USERNAME> password = <PASSWORD> But the details are something I'm not across sorry, you'll have to experiment on your own :-). Respond if you need more help, or if you make more progress. ken. On Wed, Jul 16, 2014 at 3:40 PM, Fabrice Bacchella <fbacche...@spamcop.net> wrote: > I'm trying to authenticate a puppetdb on a postgresql server using a client > certificate. > > I managed to set up SSL on server side without any problem but > http://docs.puppetlabs.com/puppetdb/2.1/postgres_ssl.html says : > Note: At this point the documentation below only covers server-based SSL, > client certificate support is not documented. > > So did someone with a better knowledge of the postgresql jdbc connector did > try this and succeed ? > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/1082A318-AA8C-4C47-BAE9-4A980DD1D4D6%40spamcop.net. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAE4bNTkEqRYWCJQ8JgFBPX8F9A-ZgkD5h5Pxn7_3foHCa5BWgw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
