Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Postgresql TLS cert not reloaded when renewed #872

Closed
mkllnk opened this issue Apr 24, 2023 · 2 comments
Closed

Postgresql TLS cert not reloaded when renewed #872

mkllnk opened this issue Apr 24, 2023 · 2 comments
Labels
bug-s3 security

Comments

@mkllnk
Copy link
Member

mkllnk commented Apr 24, 2023

Description

Certbot renews the certificates and then reload postgresql but that doesn't seem to be enough. N8N raised an error connecting to some databases. It worked again after restarting postgresql though. So we need to change the renewal script to restart, it seems. Let's read some docs and see if there's a better way.

Expected Behavior

Postgresql should always use the newest TLS certificate.

Actual Behaviour

Postgresql uses the TLS certificate from it's last restart.

Steps to Reproduce

  1. Wait three months. 😬
  2. Go to N8N -> Credentials -> any Postgres database which hasn't been restarted within 3 months
  3. Make sure that SSL is required and SSL issues are not ignored.

Animated Gif/Screenshot

Severity

bug-s3: a feature is broken but there is a workaround

Your Environment

  • Version used:
  • Browser name and version:
  • Operating System and version (desktop or mobile):

Possible Fix

diff --git a/roles/db_integrations/templates/cert-renewal-hook.sh.j2 b/roles/db_integrations/templates/cert-renewal-hook.sh.j2
index be29d67..2540cb8 100644
--- a/roles/db_integrations/templates/cert-renewal-hook.sh.j2
+++ b/roles/db_integrations/templates/cert-renewal-hook.sh.j2
@@ -13,4 +13,4 @@ cp "$SRC/privkey.pem" "$DST/"
 
 chown postgres:postgres "$DST/"*.pem
 
-systemctl reload postgresql
+systemctl restart postgresql
@github-project-automation github-project-automation bot moved this to All the things in OFN Delivery board Aug 7, 2023
@mkllnk
Copy link
Member Author

mkllnk commented Oct 5, 2023

I searched for this issue and it seems to depend on the Postgresql version. That's why only some servers were affected by this issue. A reload is enough for Postgres 10 and newer. Since a restart is disrupting current connections, I don't think it's worth implementing for the n8n database connector. It would probably cause failed requests once a month and all newer servers don't need it.

@mkllnk mkllnk closed this as not planned Won't fix, can't repro, duplicate, stale Oct 5, 2023
@github-project-automation github-project-automation bot moved this from All the things to Done in OFN Delivery board Oct 5, 2023
@mkllnk
Copy link
Member Author

mkllnk commented Apr 9, 2024

We got five production servers affected by this issue and we are planning to solve this in May 2024 with this task:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug-s3 security
Projects
OFN Delivery board
Archived in project
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mkllnk