dcs-type: patroni and SSL patroni restapi ? #298

zejeanmi · 2025-03-12T10:44:43Z

zejeanmi
Mar 12, 2025

Hello

We currently use dcs-type: etcd. but we would like to switch to dcs-type: patroni to manage a vip for our replica as well.

Our patroni restapi uses SSL (and it's working fine with dcs-type: etcd)

restapi:
  listen: 0.0.0.0:8008
  connect_address: x.y.z.t:8008
  certfile: /home/postgres/cert/patroni-lab-xxx.pem
  keyfile: /home/postgres/cert/patroni-lab-xxx-key.pem
  cafile: /home/postgres/cert/xxxxxxx-ca.pem
  verify_client: required

We changed trigger-key, trigger-value, dcs-type, dcs-endpoints in vip-manager.yml but we left the previous etcd configuration part (it uses the same certificate files as in patroni.yml)

trigger-key: /leader
trigger-value: 200
dcs-type: patroni
dcs-endpoints:
  - https://127.0.0.1:8008/

etcd-user: etcd_patroni_user
etcd-password: nopassword
etcd-ca-file: /home/postgres/cert/xxxxxxx-ca.pem
etcd-cert-file: /home/postgres/cert/patroni-lab-xxx.pem
etcd-key-file: /home/postgres/cert/patroni-lab-xxx-key.pem

We get this error when we restart vip-manager service

ERROR        patroni REST API error:
Get "https://127.0.0.1:8008/leader": tls: failed to verify certificate: x509: certificate signed by unknown authority
vip-manager[378287]: github.com/cybertec-postgresql/vip-manager/checker.(*PatroniLeaderChecker).GetChangeNotificationStream
vip-manager[378287]:         /root/vip-manager/checker/patroni_leader_checker.go:34
vip-manager[378287]: main.main.func3
vip-manager[378287]:         /root/vip-manager/main.go:65

and we get this in patroni log (which seems consistent...)

self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] ssl/tls alert bad certificate (_ssl.c:1147)

So I understand that vip-manager does not use etcd-ca-file, etcd-cert-file, etcd-key-file to query patroni restapi with SSL.

Is there something wrong with my configuration ?
Is there a solution ?

Thank you in advance !

pashagolub · 2025-03-12T13:37:44Z

pashagolub
Mar 12, 2025
Maintainer

Patroni rest api checker uses the simplest call:

			r, err := http.Get(c.Endpoints[0] + c.TriggerKey)

Patches with TLS support are welcome!

1 reply

zejeanmi Mar 14, 2025
Author

I submitted pull request #299 that adds tls support for the patroni leader checker.
I tested it in my environment and it seems to work well with both http and https, and both /leader and /asynchronous keys.

Disclaimer : I'm a dba, not a go developer. It seemed feasible, and I got some help from Claude. ;-). Thanks !

zejeanmi · 2025-03-19T07:11:14Z

zejeanmi
Mar 19, 2025
Author

The pull request was accepted.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

dcs-type: patroni and SSL patroni restapi ? #298

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

dcs-type: patroni and SSL patroni restapi ? #298

Uh oh!

zejeanmi Mar 12, 2025

Replies: 2 comments · 1 reply

Uh oh!

pashagolub Mar 12, 2025 Maintainer

Uh oh!

zejeanmi Mar 14, 2025 Author

Uh oh!

zejeanmi Mar 19, 2025 Author

zejeanmi
Mar 12, 2025

Replies: 2 comments 1 reply

pashagolub
Mar 12, 2025
Maintainer

zejeanmi Mar 14, 2025
Author

zejeanmi
Mar 19, 2025
Author