Relevant telegraf.conf:
[[inputs.postgresql]]
interval = "1m"
address = "host=192.168.0.10 port=5432 user=user1 password=xxx database=x1 sslmode=verify-ca sslrootcert=/srv/telegraf_tls/ca.crt"
databases = ["x1"]
[[inputs.postgresql_extensible]]
interval = "1m"
address = "host=192.168.0.10 port=5432 user=user1 password=xxx database=x1 sslmode=verify-ca sslrootcert=/srv/telegraf_tls/ca.crt"
databases = ["x1"]
[[inputs.postgresql_extensible.query]]
sqlquery='''
SELECT t2.rolname as rolname, t3.datname as datname, queryid, calls, ...
'''
System info:
- Docker container
- OS: Ubuntu 20.04.2 LTS
- Telegraf version: 1.16.3
Docker
Dockerfile
Steps to reproduce:
- Start Telegraf
- Show the Telegraf logs
Expected behavior:
I expect the establishment of an encrypted connection to the database and smooth functionality of the PostgreSQL plugin.
Actual behavior:
We have configured an encrypted connection to the PostgreSQL database including CA-Cert validation in our Telegraf configuration. After starting Telegraf, the following error is displayed in the error log and no connection to the database can be established.
[inputs.postgresql] Error in plugin: x509: cannot validate certificate for 192.168.0.10 because it doesn't contain any IP SANs
Additional info:
Of course, we have already checked the certificate and established a connection to the DB using the psql client. There were no problems and the encrypted connection could be established without problems in verify-ca mode. Our CA certificate does not have a SAN entry, but in my opinion this entry should be checked in verify-full mode.
I have the feeling that the database driver interprets the rules wrong and uses verify-full instead of verify-ca.
Workaround:
As a workaround we changed the ssl mode to require and were able to connect to the database.
Relevant telegraf.conf:
System info:
Docker
Dockerfile
Steps to reproduce:
Expected behavior:
I expect the establishment of an encrypted connection to the database and smooth functionality of the PostgreSQL plugin.
Actual behavior:
We have configured an encrypted connection to the PostgreSQL database including CA-Cert validation in our Telegraf configuration. After starting Telegraf, the following error is displayed in the error log and no connection to the database can be established.
[inputs.postgresql] Error in plugin: x509: cannot validate certificate for 192.168.0.10 because it doesn't contain any IP SANsAdditional info:
Of course, we have already checked the certificate and established a connection to the DB using the psql client. There were no problems and the encrypted connection could be established without problems in
verify-camode. Our CA certificate does not have a SAN entry, but in my opinion this entry should be checked in verify-full mode.I have the feeling that the database driver interprets the rules wrong and uses verify-full instead of verify-ca.
Workaround:
As a workaround we changed the ssl mode to
requireand were able to connect to the database.