无法使用SSL将Corda节点连接到Postgres

时间:2019-12-02 22:12:32

标签: corda

我在GCP(Google云平台)中的Postgres数据库仅接受通过SSL的连接。
我在node.conf内尝试了以下操作,但未成功:

dataSourceProperties {
    dataSourceClassName = "org.postgresql.ds.PGSimpleDataSource"
    dataSource.url = "jdbc:postgresql://db-private-ip:5432/my_node"
    dataSource.ssl = true
    dataSource.sslMode = verify-ca
    dataSource.sslRootCert = "/opt/corda/db-certs/server-ca.pem"
    dataSource.sslCert = "/opt/corda/db-certs/client-cert.pem"
    dataSource.sslKey = "/opt/corda/db-certs/client-key.pem"
    dataSource.user = my_node_db_user
    dataSource.password = my_pass
}

我确定node.conf中的键(sslMode,sslRootCert,sslCert和sslKey)是可以接受的(即使在Corda文档中未提及),因为在日志中我没有得到无法识别这些键的任何错误。
尝试启动节点时出现此错误:

[ERROR] 21:58:48+0000 [main] pool.HikariPool. - HikariPool-1 - Exception during pool initialization. [errorCode=zmhrwq, moreInformationAt=https://errors.corda.net/OS/4.3/zmhrwq]
[ERROR] 21:58:48+0000 [main] internal.NodeStartupLogging. - Could not connect to the database. Please check your JDBC connection URL, or the connectivity to the database.: Could not connect to the database. Please check your JDBC connection URL, or the connectivity to the database. [errorCode=18t70u2, moreInformationAt=https://errors.corda.net/OS/4.3/18t70u2]

我尝试按照(Azure Postgres Database requires SSL Connection from Corda)中的建议在数据源URL的末尾添加?ssl=true,但这不能解决问题。

对于相同的值,我还可以使用psql客户端将我的VM连接到数据库:

psql "sslmode=verify-ca sslrootcert=server-ca.pem sslcert=client-cert.pem sslkey=client-key.pem hostaddr=db-private-ip user=some-user dbname=some-pass"

1 个答案:

答案 0 :(得分:0)

结果证明JDBC驱动程序无法从PEM文件读取密钥,必须使用以下命令将其转换为DER文件:

openssl pkcs8 -topk8 -inform PEM -in client-key.pem -outform DER -nocrypt -out client-key.der

chmod 400 client-key.der
chown corda:corda client-key.der

此处有更多详细信息:https://github.com/pgjdbc/pgjdbc/issues/1364

因此正确的配置应如下所示:

dataSourceProperties {
    dataSourceClassName = "org.postgresql.ds.PGSimpleDataSource"
    dataSource.url = "jdbc:postgresql://db-private-ip:5432/db-name"
    dataSource.ssl = true
    dataSource.sslMode = verify-ca
    dataSource.sslRootCert = "/opt/corda/db-certs/server-ca.pem"
    dataSource.sslCert = "/opt/corda/db-certs/client-cert.pem"
    dataSource.sslKey = "/opt/corda/db-certs/client-key.der"
    dataSource.user = db-user-name
    dataSource.password = db-user-pass
}
相关问题
最新问题