I am trying to use podman/docker secrets for ssl certificates but i keep getting SSL errors.
Here is the command i am using:
podman run \
--detach \
--restart on-failure:5 \
--network some_network \
--name postgres \
--hostname postgres \
--publish 5432:5432 \
--mount type=volume,src=postgres,dst=/var/lib/postgresql/data \
--secret SUPERUSER \
--secret SUPERPASS \
--secret server_key,mode=0600,target=/etc/ssl/server.key \
--secret server_crt,mode=0600,target=/etc/ssl/server.crt \
--env POSTGRES_USER_FILE=/run/secrets/SUPERUSER \
--env POSTGRES_PASSWORD_FILE=/run/secrets/SUPERPASS \
--env POSTGRES_DB=somedb\
postgres:15 \
-c ssl=on \
-c ssl_cert_file=/etc/ssl/server.crt \
-c ssl_key_file=/etc/ssl/server.key
and the log:
PostgreSQL Database directory appears to contain a database; Skipping initialization
2023-08-29 15:13:42.751 UTC [1] FATAL: could not load server certificate file "/etc/ssl/server.crt": SSL error code 2147483661
2023-08-29 15:13:42.751 UTC [1] LOG: database system is shut down
I checked the container that the certificates are actually there and they are and are readable. I also tried running with --privileged flag in case SELinux is to blame but makes little difference.
All and any help is much appreciated! :)
Adding the commands to generate the cert and key as well:
openssl req -new -nodes -text -out root.csr -keyout root.key -subj "/CN=root.yourdomain.com"
chmod og-rwx root.key
openssl x509 -req -in root.csr -text -days 3650 -extfile /etc/ssl/openssl.cnf -extensions v3_ca -signkey root.key -out root.crt
openssl req -new -nodes -text -out server.csr -keyout server.key -subj "/CN=dbhost.yourdomain.com"
chmod og-rwx server.key
openssl x509 -req -in server.csr -text -days 365 -CA root.crt -CAkey root.key -CAcreateserial -out server.crt
cat server.key | podman secret create server_key -
cat server.crt | podman secret create server_crt -
