I got it ! I dit it using the java way (with a standard jks).
First create a jks with the private key for your account and put in it all the needed certificates in the chain (both server and user). The cn for user certificate should match the username used latter. Add to your JVM args : -Djavax.net.ssl.trustStore=.../puppetdb.jks -Djavax.net.ssl.trustStorePassword=<JKS password> -Djavax.net.ssl.keyStore=.../puppetdb.jks -Djavax.net.ssl.keyStorePassword=<JKS password> In case of problems, "-Djavax.net.debug=ssl,defaultctx" might help. My database.ini is : [database] classname = org.postgresql.Driver subprotocol = postgresql subname = //localhost:5432/puppetdb?ssl=true log-slow-statements = 10 username = puppetdb In pg_hba.conf, I added : hostssl all all 0.0.0.0/0 cert clientcert=1 And in postgresql.conf : ssl = on ssl_cert_file = 'server.crt' ssl_key_file = 'server.key' ssl_ca_file = 'root.crt' The file root.crt contains all the needed certificates (both client and server) The file server.crt contains only the server certificate The file server.key contains the private key. Those 3 files are stored as PEM files. org.postgresql.ssl.LibPQFactory is used if you want to mimic the psql client configuration and use PEM files instead of JKS, and it take the same arguments, some documentation can be found at : http://www.postgresql.org/docs/8.4/static/libpq-connect.html#LIBPQ-CONNECT-SSLMODE Le 16 juil. 2014 à 17:05, Ken Barber <k...@puppetlabs.com> a écrit : > I wrote that document, at the time client based certificates weren't > really supported or something like that. > > Specifically not supporting client auth is hinted in the JDBC driver > details here: http://jdbc.postgresql.org/documentation/head/ssl-factory.html > > I seem to recall there being a problem with the current default > SslFactory not allowing this kind of thing easily, but there is an > alternate factory one can possibly use: > > https://github.com/pgjdbc/pgjdbc/blob/master/org/postgresql/ssl/jdbc4/LibPQFactory.java > > Sorry, the main documentation page doesn't contain details of this > class, its fairly unknown to most people - I had to go digging for it > in source to find it. > > This should in theory allow one to provide parameters in the JDBC url > to provide a client certificate, but I've never seen it working yet > (and we may not even ship a version of the jdbc driver that has this > class :-). > > The parameters gleaned from the source are: > > sslmode,sslcert,sslkey,sslrootcert,sslhostnameverifier,sslpasswordcallback,sslpassword > > So you could construct something like: > > [database] > classname = org.postgresql.Driver > subprotocol = postgresql > subname = > //<HOST>:<PORT>/<DATABASE>?ssl=true&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=<whatever>&sslcert=<whatever> > ... etc ... > username = <USERNAME> > password = <PASSWORD> > > But the details are something I'm not across sorry, you'll have to > experiment on your own :-). Respond if you need more help, or if you > make more progress. > > ken. > > On Wed, Jul 16, 2014 at 3:40 PM, Fabrice Bacchella > <fbacche...@spamcop.net> wrote: >> I'm trying to authenticate a puppetdb on a postgresql server using a client >> certificate. >> >> I managed to set up SSL on server side without any problem but >> http://docs.puppetlabs.com/puppetdb/2.1/postgres_ssl.html says : >> Note: At this point the documentation below only covers server-based SSL, >> client certificate support is not documented. >> >> So did someone with a better knowledge of the postgresql jdbc connector did >> try this and succeed ? >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-users+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/1082A318-AA8C-4C47-BAE9-4A980DD1D4D6%40spamcop.net. >> For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/CAE4bNTkEqRYWCJQ8JgFBPX8F9A-ZgkD5h5Pxn7_3foHCa5BWgw%40mail.gmail.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/2A284464-F69A-45D5-B3D6-DC68A7CA8AF2%40spamcop.net. For more options, visit https://groups.google.com/d/optout.
