Question 363397 in PostgreSQL Question posted in
The official documentation can be found here.

Postgresql – SSL Certificate Verify Failed Error When Configuring BarmanBackupConfig in CNPG Deployment

Issue

I’m trying to configure the BarmanObjectStoreConfiguration for my Cloud Native PostgreSQL (CNPG) deployment, but I’m encountering an SSL validation error. Here’s the error message I’m getting:

"SSL validation failed for <S3_ENDPOINT/BUCKET> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1123)"

Version

  • PostgreSQL: imageName: ghcr.io/cloudnative-pg/postgresql:16.0
  • CNPG Operator Helm Chart: 0.19.1
  • CNPG Operator: 1.21.1

What I did ?

I have set up the barmanObjectStore configuration in my CNPG Cluster YAML file as follows:

apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: cnpg-db
spec:
    backup:
    barmanObjectStore:
      destinationPath: "s3://<BUCKET_NAME>"
      endpointURL: https://<ENDPOINT>
      endpointCA: # Seems doing nothing ?
        name: cnpg-s3-cred-password
        key: CA_CERT
      s3Credentials:
        accessKeyId:
          name: cnpg-s3-cred-password
          key: ACCESS_KEY_ID
        secretAccessKey:
          name: cnpg-s3-cred-password
          key: ACCESS_SECRET_KEY
      wal:
        compression: gzip
        encryption: AES256
      data:
        compression: gzip
        encryption: AES256
    retentionPolicy: 30d
  env: # Trying to manually set CA_BUNDLE because params doesn't work
    - name: REQUESTS_CA_BUNDLE # Supposed to be used with Azure Blob Storage
      valueFrom:
        secretKeyRef:
          name: cnpg-s3-cred-password
          key: CA_CERT
    - name: AWS_CA_BUNDLE # Supposed to be used with AWS S3 (or compatible services)
      valueFrom:
        secretKeyRef:
          name: cnpg-s3-cred-password
          key: CA_CERT

have verified that the cnpg-s3-cred-password secret contains the correct CA certificate, access key ID, and secret access key. I’m not sure what I’m missing or doing wrong.

Could someone please help me resolve this SSL validation error and successfully configure the barmanBackupConfig for my CNPG deployment? Any help would be greatly appreciated. Thank you!

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    I finally find a solution to my issue, the AWS_CA_BUNDLE should be the path to the CA cert file (according to the Boto documentation: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html#using-environment-variables) and the endpointCA parameters are just in charge of dropping the ca into /run/certificates/backup-barman-ca.crt.

    So the solution was to:

    • set AWS_CA_BUNDLE=/run/certificates/backup-barman-ca.crt

    Here is the corrected yaml:

    apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: cnpg-db
spec:
    backup:
    barmanObjectStore:
      destinationPath: "s3://<BUCKET_NAME>"
      endpointURL: https://<ENDPOINT>
      endpointCA:
        name: cnpg-s3-cred-password
        key: CA_CERT
      s3Credentials:
        accessKeyId:
          name: cnpg-s3-cred-password
          key: ACCESS_KEY_ID
        secretAccessKey:
          name: cnpg-s3-cred-password
          key: ACCESS_SECRET_KEY
      wal:
        compression: gzip
        encryption: AES256
      data:
        compression: gzip
        encryption: AES256
    retentionPolicy: 30d
  env:
    - name: AWS_CA_BUNDLE
      value: /run/certificates/backup-barman-ca.crt

  2. 0

    You need to make sure the certificate provided at endpointCA has the full certificate chain if it’s not using public CAs.

    If you have requestAutoCert (enabled by default) in your MinIO Tenant the certificate will be signed by the Kubernetes self-signed CA.

    That certificate for that CA is automatically available in /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, but that’s not helpful in our case as we cannot instruct the machine to use it. You can alternatively retrieve it from the kube-root-ca.crt ConfigMap in the kube-system namespace.

    The following would create a kube-root-ca.crt secret in your namespace containing the only certificate needed under the ca.crt key that you can then expose via the endpointCA option.

    kubectl -n $NAMESPACE create secret generic kube-root-ca.crt --from-literal=ca.crt="$(kubectl -n kube-system get configmaps kube-root-ca.crt -o jsonpath='{.data.ca.crt}')" --dry-run=client -o yaml | kubectl apply -f -

    I’m using the CloudNativePG cluster chart and the following configuration was all I needed:

    mode: standalone
cluster:
  instances: 1
backups:
  enabled: true
  provider: s3
  endpointURL: "https://minio.minio.svc.cluster.local"
  endpointCA:
    name: kube-root-ca.crt
    key: ca.crt
  wal:
    encryption: ""
  data:
    encryption: ""
  s3:
    bucket: "mybucket"
    path: "/v1"
    accessKey: "minio"
    secretKey: "minio123"
    region: "local"

    Note that it doesn’t need AWS_CA_BUNDLE and from what I can tell the environment variable has no effect.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search