Configuration for location of certs of postgres in ssl with CA mode

[nishanthmehta]

Hi Team

I am trying to configure my postgres in ssl mode with client authentication
But In the telegraf configuration I am unable to see any setting which specify the location of the client cert key
Does the plugin support postgres in ssl mode with client authentication

[suckatrash]

I'm looking for info on this too

[danielnelson]

I believe these options must be set via the connection string via the address option. I have not tested it myself but the locations appear to be defined in https://www.postgresql.org/docs/9.4/libpq-connect.html#LIBPQ-PARAMKEYWORDS under sslkey, sslcert.

Telegraf's home directory may be different depending on the package you are using. I don't recommend relying on it, and would instead use absolute paths to these files. It should look something like this:

address = "host=localhost user=postgres sslmode=require sslkey=/etc/telegraf/postgresql.key sslcert=/etc/telegraf/postgresql.crt"

Make sure you have the correct permissions on these files, on Linux the telegraf user will need read access.

I haven't tested this myself though, could you let me know if that does the trick so we can add it to the plugin documentation?

[suckatrash]

Thanks @danielnelson I gave it a shot but without any luck.

What's odd is that I can connect with the same set of certificates that I'm using in telegraf with the standard postgres client.

In other words this works:

psql "host=pe-201813-master.puppetdebug.vlan \
user=telegraf dbname=pe-puppetdb sslmo=require \
sslkey=/etc/telegraf/grafana-server.platform9.puppet.net.private_key.pem \
sslcert=/etc/telegraf/grafana-server.platform9.puppet.net.public_key.pem \
sslrootcert=/etc/telegraf/ca.pem"

I'm using the exact same string in telegraf:

address = 'host=pe-201813-master.puppetdebug.vlan user=telegraf dbname=pe-puppetdb sslmode=require sslkey=/etc/telegraf/grafana-server.platform9.puppet.net.private_key.pem sslcert=/etc/telegraf/grafana-server.platform9.puppet.net.public_key.pem sslrootcert=/etc/telegraf/ca.pem'

But the telegraf connections result in this on the postgres side:

2018-11-29 22:20:50.174 UTC [db:pe-puppetdb,sess:5c006642.38d9,pid:14553,vtid:92/779,tid:0] FATAL: connection requires a valid client certificate

Permissions on the files reachable (and owned) by the telegraf user:

su - telegraf -s /bin/bash -c "ls -latr /etc/telegraf/*.pem"
-r--------. 1 telegraf telegraf 3243 Nov 29 00:14 /etc/telegraf/grafana-server.platform9.puppet.net.private_key.pem
-r--------. 1 telegraf telegraf 2069 Nov 29 05:09 /etc/telegraf/grafana-server.platform9.puppet.net.public_key.pem
-r--------. 1 telegraf telegraf 3953 Nov 29 22:24 /etc/telegraf/ca.pem

[suckatrash]

Is it possible that the telegraf input isn't parsing the sslcert option correctly?

I get the same error with the psql client if I leave it out:

psql "host=pe-201813-master.puppetdebug.vlan user=telegraf dbname=pe-puppetdb sslmode=require sslkey=/etc/telegraf/grafana-server.platform9.puppet.net.private_key.pem sslrootcert=/etc/telegraf/ca.pem"
psql: FATAL:  connection requires a valid client certificate

[danielnelson]

It looks like we need to update pgx to 3.2.0 for this support jackc/pgx@8078930

I can open a PR with the updated version for testing