CentOS7.9配置postgresql开启ssl

参考文献:
pgsql 打开ssl步骤
PostgreSQL: Documentation: 14: 19.9. Secure TCP/IP Connections with SSL

提示:我这里使用的是postgresql14,但是对于postgresql9.6同样适用,其他版本的未测试过

一、安装openssl

首先安装openssl,可通过直接键入"openssl"看是否会进入对应命令行来判断是否已经安装了openssl。
如果已经安装了可以跳过,如果未安装可通过以下命令进行安装:

yum install openssl

二、生成服务端证书和密钥

[root@localhost ~]# su - postgres
上一次登录:五 331 13:50:49 CST 2023pts/1 上
-bash-4.2$ cd /home/pgsql_data/
-bash-4.2$ ls
base              log           pg_hba.conf    pg_multixact  pg_serial     pg_stat_tmp  pg_twophase  pg_xact               postmaster.opts
current_logfiles  pg_commit_ts  pg_ident.conf  pg_notify     pg_snapshots  pg_subtrans  PG_VERSION   postgresql.auto.conf  postmaster.pid
global            pg_dynshmem   pg_logical     pg_replslot   pg_stat       pg_tblspc    pg_wal       postgresql.conf
-bash-4.2$ openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
...............++++++
...............++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
-bash-4.2$ openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key
-bash-4.2$ chmod 400 server.key
-bash-4.2$     chown postgres:postgres server.key
-bash-4.2$ ll
总用量 72
drwx------ 5 postgres postgres    41 817 2022 base
-rw------- 1 postgres postgres    30 410 00:00 current_logfiles
drwx------ 2 postgres postgres  4096 331 13:44 global
drwx------ 2 postgres postgres   188 823 2022 log
drwx------ 2 postgres postgres     6 817 2022 pg_commit_ts
drwx------ 2 postgres postgres     6 817 2022 pg_dynshmem
-rw------- 1 postgres postgres  4821 817 2022 pg_hba.conf
-rw------- 1 postgres postgres  1636 817 2022 pg_ident.conf
drwx------ 4 postgres postgres    68 331 16:06 pg_logical
drwx------ 4 postgres postgres    36 817 2022 pg_multixact
drwx------ 2 postgres postgres     6 817 2022 pg_notify
drwx------ 2 postgres postgres     6 817 2022 pg_replslot
drwx------ 2 postgres postgres     6 817 2022 pg_serial
drwx------ 2 postgres postgres     6 817 2022 pg_snapshots
drwx------ 2 postgres postgres     6 817 2022 pg_stat
drwx------ 2 postgres postgres    63 410 15:54 pg_stat_tmp
drwx------ 2 postgres postgres    18 817 2022 pg_subtrans
drwx------ 2 postgres postgres     6 331 13:51 pg_tblspc
drwx------ 2 postgres postgres     6 817 2022 pg_twophase
-rw------- 1 postgres postgres     3 817 2022 PG_VERSION
drwx------ 3 postgres postgres    60 817 2022 pg_wal
drwx------ 2 postgres postgres    18 817 2022 pg_xact
-rw------- 1 postgres postgres    88 817 2022 postgresql.auto.conf
-rw------- 1 postgres postgres 28762 817 2022 postgresql.conf
-rw------- 1 postgres postgres    51 331 13:44 postmaster.opts
-rw------- 1 postgres postgres    90 331 13:44 postmaster.pid
-r-------- 1 postgres postgres   887 413 19:47 server.key
-bash-4.2$ openssl req -new -key server.key -days 3650 -out server.crt -x509
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:BJ
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:ZAXY
Organizational Unit Name (eg, section) []:ZAXY
Common Name (eg, your name or your server’s hostname) []:
Email Address []:
-bash-4.2$ 
-bash-4.2$  cp server.crt root.crt
-bash-4.2$ ll
总用量 80
drwx------ 5 postgres postgres    41 817 2022 base
-rw------- 1 postgres postgres    30 410 00:00 current_logfiles
drwx------ 2 postgres postgres  4096 331 13:44 global
drwx------ 2 postgres postgres   188 823 2022 log
drwx------ 2 postgres postgres     6 817 2022 pg_commit_ts
drwx------ 2 postgres postgres     6 817 2022 pg_dynshmem
-rw------- 1 postgres postgres  4821 817 2022 pg_hba.conf
-rw------- 1 postgres postgres  1636 817 2022 pg_ident.conf
drwx------ 4 postgres postgres    68 331 16:06 pg_logical
drwx------ 4 postgres postgres    36 817 2022 pg_multixact
drwx------ 2 postgres postgres     6 817 2022 pg_notify
drwx------ 2 postgres postgres     6 817 2022 pg_replslot
drwx------ 2 postgres postgres     6 817 2022 pg_serial
drwx------ 2 postgres postgres     6 817 2022 pg_snapshots
drwx------ 2 postgres postgres     6 817 2022 pg_stat
drwx------ 2 postgres postgres    63 410 15:54 pg_stat_tmp
drwx------ 2 postgres postgres    18 817 2022 pg_subtrans
drwx------ 2 postgres postgres     6 331 13:51 pg_tblspc
drwx------ 2 postgres postgres     6 817 2022 pg_twophase
-rw------- 1 postgres postgres     3 817 2022 PG_VERSION
drwx------ 3 postgres postgres    60 817 2022 pg_wal
drwx------ 2 postgres postgres    18 817 2022 pg_xact
-rw------- 1 postgres postgres    88 817 2022 postgresql.auto.conf
-rw------- 1 postgres postgres 28762 817 2022 postgresql.conf
-rw------- 1 postgres postgres    51 331 13:44 postmaster.opts
-rw------- 1 postgres postgres    90 331 13:44 postmaster.pid
-rw-r--r-- 1 postgres postgres   875 413 19:48 root.crt
-rw-r--r-- 1 postgres postgres   875 413 19:48 server.crt
-r-------- 1 postgres postgres   887 413 19:47 server.key

三、修改ssl相关配置

编辑postgresql.conf,配置ssl为on,配置ssl_cert_file、ssl_key_file为对应文件路径

-bash-4.2$ vi postgresql.conf 
# 修改以下三行,路径以实际为准
ssl = on
ssl_cert_file = '/home/pgsql_data/server.crt'
ssl_key_file = '/home/pgsql_data/server.key'

编辑pg_hba.conf ,新增对于ssl连接的放行规则,我这里是放行了ipv4所有的连接

-bash-4.2$ vi pg_hba.conf 
# 新增以下一行
hostssl	all		all		0.0.0.0/0		md5

四、生成客户端证书和密钥

有需要的话可以进行这部分的操作,无需要的话可跳过,我这里没用到但是我先提前生成备用了

-bash-4.2$ openssl genrsa -des3 -out postgresql.key 1024
Generating RSA private key, 1024 bit long modulus
.................++++++
.....++++++
e is 65537 (0x10001)
Enter pass phrase for postgresql.key:
Verifying - Enter pass phrase for postgresql.key:
-bash-4.2$ openssl rsa -in postgresql.key -out postgresql.key
Enter pass phrase for postgresql.key:
writing RSA key
-bash-4.2$ ll
总用量 84
drwx------ 5 postgres postgres    41 817 2022 base
-rw------- 1 postgres postgres    30 410 00:00 current_logfiles
drwx------ 2 postgres postgres  4096 331 13:44 global
drwx------ 2 postgres postgres   188 823 2022 log
drwx------ 2 postgres postgres     6 817 2022 pg_commit_ts
drwx------ 2 postgres postgres     6 817 2022 pg_dynshmem
-rw------- 1 postgres postgres  4854 413 19:49 pg_hba.conf
-rw------- 1 postgres postgres  1636 817 2022 pg_ident.conf
drwx------ 4 postgres postgres    68 331 16:06 pg_logical
drwx------ 4 postgres postgres    36 817 2022 pg_multixact
drwx------ 2 postgres postgres     6 817 2022 pg_notify
drwx------ 2 postgres postgres     6 817 2022 pg_replslot
drwx------ 2 postgres postgres     6 817 2022 pg_serial
drwx------ 2 postgres postgres     6 817 2022 pg_snapshots
drwx------ 2 postgres postgres     6 817 2022 pg_stat
drwx------ 2 postgres postgres    63 410 15:54 pg_stat_tmp
drwx------ 2 postgres postgres    18 817 2022 pg_subtrans
drwx------ 2 postgres postgres     6 331 13:51 pg_tblspc
drwx------ 2 postgres postgres     6 817 2022 pg_twophase
-rw------- 1 postgres postgres     3 817 2022 PG_VERSION
drwx------ 3 postgres postgres    60 817 2022 pg_wal
drwx------ 2 postgres postgres    18 817 2022 pg_xact
-rw------- 1 postgres postgres    88 817 2022 postgresql.auto.conf
-rw------- 1 postgres postgres 28765 413 19:49 postgresql.conf
-rw-r--r-- 1 postgres postgres   891 413 19:50 postgresql.key
-rw------- 1 postgres postgres    51 331 13:44 postmaster.opts
-rw------- 1 postgres postgres    90 331 13:44 postmaster.pid
-rw-r--r-- 1 postgres postgres   875 413 19:48 root.crt
-rw-r--r-- 1 postgres postgres   875 413 19:48 server.crt
-r-------- 1 postgres postgres   887 413 19:47 server.key
-bash-4.2$ openssl req -new -key postgresql.key -out postgresql.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:BJ
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:ZAXY
Organizational Unit Name (eg, section) []:ZAXY
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
-bash-4.2$ openssl x509 -req -in postgresql.csr -CA root.crt -CAkey server.key -out postgresql.crt -CAcreateserial
Signature ok
subject=/C=BJ/ST=BJ/L=BJ/O=ZAXY/OU=ZAXY
Getting CA Private Key

五、重启数据库

-bash-4.2$ /usr/pgsql-14/bin/pg_ctl -D /home/pgsql_data/ -l /home/pgsql_log/pgsql.log restart
等待服务器进程关闭 .... 完成
服务器进程已经关闭
正在启动服务器进程

有问题欢迎指出!

你可能感兴趣的:(postgresql,数据库,linux,postgresql,ssl,数据库,linux,centos)