DEV Community

Cover image for How to Setup PostgreSQL with SSL inside a Docker Container

How to Setup PostgreSQL with SSL inside a Docker Container

Daniel Oluojomu on February 02, 2021

Hi guys, in this article I'll be sharing how to set up a PostgreSQL database that'll accept SSL connections only, inside a Docker container. ...
Collapse
 
neilcamoore profile image
Neil Moore

There are a couple of typos, I think. The certificates generated are called postgresql.{key,crt} but the Dockerfile refers to them as server.{key,crt}

Collapse
 
danvixent profile image
Daniel Oluojomu

Thanks a lot Neil!, fixed.

Collapse
 
audstanley profile image
Richard Stanley • Edited
CMD [ "-c", "ssl=on" , "-c", "ssl_cert_file=/var/lib/postgresql/server.crt",
Enter fullscreen mode Exit fullscreen mode

needs to be:

CMD [ "-c", "ssl=on" , "-c", "ssl_cert_file=/var/lib/postgresql/postgresqldb.crt",
Enter fullscreen mode Exit fullscreen mode

and,

    "ssl_key_file=/var/lib/postgresql/server.key", "-c",\
Enter fullscreen mode Exit fullscreen mode

needs to be:

    "ssl_key_file=/var/lib/postgresql/postgresqldb.key", "-c",\
Enter fullscreen mode Exit fullscreen mode

thank you for putting this together - certstrap helped save a lot of time also - much appreciated. :-)

Thread Thread
 
danvixent profile image
Daniel Oluojomu • Edited

Actually its postgresdb., but thanks a lot Richard. I've fixed that also.

Almost a year i wrote this. Need to put out something on cryptography again!

Thread Thread
 
audstanley profile image
Richard Stanley

lol - my bad - it's so easy to mess up. :-)

Thread Thread
 
audstanley profile image
Richard Stanley

...i wrote it correctly in the Containerfile - so... i don't know what's wrong with me today.

Thread Thread
 
danvixent profile image
Daniel Oluojomu

Haha, i was asking myself the same thing after reading your comment.

Collapse
 
azophy profile image
Abdurrahman Shofy Adianto

Just want to add that debian/ubuntu image already included a self-signed certificate. So instead of generate it on your own, you could just use whats already available:

docker run \
  --rm \
  -e POSTGRES_PASSWORD=password \
  postgres:12 \
  -c ssl=on \
  -c ssl_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem \
  -c ssl_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
Enter fullscreen mode Exit fullscreen mode

source: gist.github.com/mrw34/c97bb03ea105...

Collapse
 
danvixent profile image
Daniel Oluojomu

Thanks Abdurrahman!

Collapse
 
_naraic profile image
Ciarán

Daniel, first off I want to thank you for taking the time to write this up. I was able to eventually get an SSL PG DG up and running in my Docker environment.

A couple of things to point out especially for anyone else following this guide.

1)

You say...
"If you wish to keep the previous settings in the file change >> to >"

You have this backwards. If you only want to append to a file (keep previous settings) you use ">>" and if you want to clear the file and insert your piece, then you use ">"

2)

There is an extra "-c" in your snippet above. One of them needs to be removed to get this to work.

"-c",\
"-c"

3)

I had to add in some additional steps to the ssl-conf because my certs didn't get mapped correctly. This should of course be fixed in the dockerfile, but it was easier for my troubleshooting to just edit this file and continue to re-execute it.

echo 'ssl_ca_file='\''/var/lib/postgresql/data/CertAuth.crt'\''' >> /var/lib/postgresql/data/postgresql.conf
echo 'ssl_cert_file='\''/var/lib/postgresql/data/postgresdb.crt'\''' >> /var/lib/postgresql/data/postgresql.conf
echo 'ssl_key_file='\''/var/lib/postgresql/data/postgresdb.key'\''' >> /var/lib/postgresql/data/postgresql.conf

Other than that, I learned a tonne off your guide so thanks again! :D

_Naraic

Collapse
 
danvixent profile image
Daniel Oluojomu

Thanks a lot Ciarán!, i fixed all.

Collapse
 
grachev profile image
Alexey • Edited

Hello, thank you for the article.
Question:
I have a docker container with python which connects to postgres over psycopg2.
My goal is to make the connection ssl-secure. Do I need another keys, I mean client keys or smth for sslmode = require?
I have both containers described in docker-compose. Try to implement your solution.
Thanks.

Collapse
 
danvixent profile image
Daniel Oluojomu • Edited

Hi Alexey, yes you do need to request another keypair for the client. The last section in the article explains this.

Collapse
 
paulushcgcj profile image
Paulo Gomes da Cruz Junior

Hey man, nice article, I'm just worried about baking the certs into the image as it can be copied and this will be a problem.

Any tips on how to avoid this?

Collapse
 
slidenerd profile image
slidenerd • Edited

how would you run ssl-conf.sh if you had a docker-compose file that refers to this postgres dockerfile. Also where are the client certs?