When running SchemaSpy get error:
Connection failed because of the following error: "no pg_hba.conf entry for host "xxx.xxx.xxx.xxx", user "xxxx", database "xxx", SSL off"
The error occurs because the database does require an SSL connection.
Is there a way to turn on the SSL flag for a connection in SchemaSpy, I opened up the jar file but couldn't find anything. I know the PostgreSQL JDBC Driver supports SSL so this should be theoretically possible.
Otherwise if any one knows any opensource/freeware tools for reverse engineering a postgresql database with an SSL connections, that would help a lot.
Thanks.
Do it like this:
java -jar schemaSpy_5.0.0 -t pgsql -host your-host-url -db your-database-name -s your-database-schema -u your-username -p your-password -connprops "ssl\=true;sslfactory\=org.postgresql.ssl.NonValidatingFactory" -o path-to-your-output-directory -dp path-to-your-jdbc-driver-jar-file
The trick: adding some additional parameters using the -connprops option: we are setting SSL to true (ssl parameter) and we are asking the client (i.e., the driver) to unconditionally accept the SSL connection (sslfactory parameter).
Per the PgJDBC documentation, use the ssl=true option in your URL's parameters, e.g.
jdbc:postgresql://myhost/mydb?ssl=true
If the host doesn't have a valid certificate or the cert doesn't match its hostname you can disable SSL validation too.
SchemaSpy accepts a JDBC URL for the connection, so this will work fine.
Related
So I'm still in the process of updating a Drupal 7 site to 8 using drush and ddev.
After running the import, I get an error with upgrade_d7_file.
I've tried to install a certificate using this article:
https://www.ddev.com/ddev-local/ddev-local-trusted-https-certificates/
However still get the error, any ideas?
ddev exec drush migrate-import --all
ddev exec drush mmsg upgrade_d7_file
cURL error 60: SSL: no alternative certificate subject name matches target host name
'drupal7migration2.ddev.site'
(see https://curl.haxx.se/libcurl/c/libcurl-errors.html)
(https://drupal7migration2.ddev.site//sites/default/files/Virtual%20Challenges%20%28Results%20and%2
0PBs%29%2020200709.xlsx)
When you want one DDEV-Local project to talk to another using https, curl on the client side has to trust the server side that you're talking to. There are two ways to do this:
(built-in, no changes needed): Use ddev-<projectname>-web (the container name) as the target hostname in the URL. For example in your case, use curl https://ddev-drupal7migration2-web. This hostname is already trusted among various ddev projects.
(requires docker-compose.*.yaml): If you want to use the real full FQDN of the target project (https://drupal7migration2.ddev.site in your case) then you'll need to add that as an external_link in the client project's .ddev. So add a file named .ddev/docker-compose.external_links.yaml in the client side (migration1?) project, with these contents:
version: '3.6'
services:
web:
external_links:
- "ddev-router:drupal7migration2.ddev.site"
That will tell Docker to route requests to "drupal7migration2.ddev.site" to the ddev-router, and your container and curl trust it (it has that name in its cert list).
I am trying to connect to our AWS DocumentDB, but it fails with the following error:
2019-12-04T17:46:52.551-0800 W CONTROL [main] Option: ssl is deprecated. Please use tls instead.
2019-12-04T17:46:52.551-0800 W CONTROL [main] Option: sslCAFile is deprecated. Please use tlsCAFile instead.
2019-12-04T17:46:52.551-0800 W CONTROL [main] Option: sslAllowInvalidHostnames is deprecated. Please use tlsAllowInvalidHostnames instead.
MongoDB shell version v4.2.1
connecting to: mongodb://insights-db-2019-08-12-18-32-13.cih94xwdmniv.us-west-2.docdb.amazonaws.com:27017/?compressors=disabled&gssapiServiceName=mongodb
2019-12-04T17:46:52.684-0800 E NETWORK [js] SSL peer certificate validation failed: Certificate trust failure: CSSMERR_CSP_UNSUPPORTED_KEY_SIZE; connection rejected
2019-12-04T17:46:52.685-0800 E QUERY [js] Error: couldn't connect to server insights-db-2019-08-12-18-32-13.cih94xwdmniv.us-west-2.docdb.amazonaws.com:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: Certificate trust failure: CSSMERR_CSP_UNSUPPORTED_KEY_SIZE; connection rejected :
connect#src/mongo/shell/mongo.js:341:17
#(connect):2:6
2019-12-04T17:46:52.687-0800 F - [main] exception: connect failed
2019-12-04T17:46:52.687-0800 E - [main] exiting with code 1
The command I use:
mongo --ssl --host MY_DOCUMENT_DB_HOST_AND_PORT --sslCAFile MY_KEY_PATH --username MY_USERNAME --password MY_PASSWORD
A couple troubleshooting I already tried:
Sent the exact same command and key to another Mac OS X machine on the same network --> worked fine
Uninstalled and reinstalled my mongo app mongodb-community#4.2
Try adding the rds-combined-ca-bundle.pem certificate to your Mac, I had a very similar error when trying to connect to DocumentDb using localhost through a forwarded port, the command I ran is
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain rds-combined-ca-bundle.pem
I got this command from this answer
For those hitting this issue post 2020, see the last reply in this thread: https://forums.aws.amazon.com/message.jspa?messageID=936916
Mac OS X Catalina has updated the requirements for trusted certificates. Trusted certificates must now be valid for 825 days or fewer (see https://support.apple.com/en-us/HT210176). Amazon DocumentDB instance certificates are valid for over four years, longer than the Mac OS X maximum. In order to connect directly to an Amazon DocumentDB cluster from a computer running Mac OS X Catalina, you must allow invalid certificates when creating the TLS connection. In this case, invalid certificates mean that the validity period is longer than 825 days. You should understand the risks before allowing invalid certificates when connecting to your Amazon DocumentDB cluster.
To connect to an Amazon DocumentDB cluster from OS X Catalina using the AWS CLI, use the tlsAllowInvalidCertificates parameter.
mongo --tls --host <hostname> --username <username> --password <password> --port 27017 --tlsAllowInvalidCertificates
Basically, just ignore invalid certificates.
I try to do ssl connection for my server in c.
i have take this code : https://wiki.openssl.org/index.php/Simple_TLS_Server and I have generated certificate with certbot:
sudo certbot certonly --standalone
I have copy cert.pem and privkey.pem present in /etc/letsencrypt/live/MY_DOMAIN/ on my program directory.
but when I try to connect with curl, I get this error:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
and my server print :
1996193792:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1407:SSL alert number 48
thank you for your help !
That oversimple server does not handle a chain cert (or certs), also called intermediate, which every real CA this century requires, including LE. It is suitable only for test certs you generate yourself, or some limited environments like the intranet of a company that runs its own private CA.
Replace SSL_CTX_use_certificate_file on the cert.pem file with SSL_CTX_use_certificate_chain_file on the fullchain.pem file.
Also, SSLv23* methods have (finally!) been replaced by TLS* methods as of 1.1.0 in 2016, although the obsolete names remain as synonyms for now.
I have set up a SQL Server database server on my Ubuntu 16 machine. To make it secure over a host network I am working on adding an SSL encryption certificate on it.
I tried following the steps as mentioned on this link ssl-encryption-mssql
But after restarting the service of SQL Server, it breaks giving the below exit code status
code=exited, status=1/FAILURE
I even tried to check the logs using journalctl -u mssql-server.service -b but it is not helpful at all. For the referrence, I am adding the screenshot of journalctl command below:
My /var/opt/mssql/mssql.conf looks something like this after following the steps from official doc.
[sqlagent]
enabled = false
[EULA]
accepteula = Y
[network]
tlscert = /etc/ssl/certs/cert.pem
tlskey = /etc/ssl/private/privkey.pem
tlsprotocols = 1.2
forceencryption = 1
EDIT-1: I further checked out the logs from /var/log/syslog, it stated the following log-
Error: 49940, Severity: 16, State: 1.Unable to open one or more of the user-specified certificate file(s). Verify that the certificate file(s) exist with read permissions for the user and group running SQL Server and found this question which seems similar, I tried the approach as told by Charles but it doesn't seem to work. Even I am using the Let's Encrypt Certificates.
EDIT-2: It is not a licensed version, could this be the reason?
How to resolve this error?
I just faced the same problem even though I followed the same steps as mentioned in the microsoft documentation. The actual problem seems to be with the permissions on the folder paths where the certificate files are located.
You can verify whether mssql user is able to connect or not using the openssl commands.
This command will do a basic verification on whether the certificates are valid or not.
sudo su - mssql -c "openssl verify -verbose -CAfile /etc/ssl/certs/mssql_ca.pem /etc/ssl/certs/cert.pem"
If you wanted to see if the combination of certificates are actually working or not (with key), you can start a openssl server service and then connect to it with another openssl client connection.
sudo su - mssql -c "openssl s_server -accept 8443 -cert /etc/ssl/certs/cert.pem -key /etc/ssl/private/privkeyrsa.pem -CAfile /etc/ssl/certs/mssql_ca.pem"
openssl s_client -connect localhost:8443
Another small correction from the documentation (I am using CA provided certificate), had to convert the key file format (might not require for you).
openssl rsa -in /etc/ssl/private/key.pem -out /etc/ssl/private/privkeyrsa.pem
i have been facing a problem linking mongodb compass and and the online mongo atlas, but somehow when i type the mongoimport command complete with its parameters extracted from the "Command Line Options" in atlas account, it throws up the error connecting to the db server: no reachable server
I am running MongoDB enterprise version 3.0.15 for connecting compass and atlas account on windows 7 platform. I have tried various methods which are already described in some of the links
mongodb Failed: error connecting to db server: no reachable servers
mongoimport error - Failed: error connecting to db server: no reachable servers
mongorestore Failed: no reachable servers
including:
specifying the configuration file with net parameters adjusted to bind ip 0.0.0.0 and port 27017 as described in some threads on this error. Also note that my configuration file did not have any replication parameters, so removing replication parameters was out of the questions as it was suggested in some posts.
Explicitly specify/allow Inbound traffic in Windows firewall for port 27017
Reset the replication set, although i could not understand why i would need to do that in mongoimport case when my mongod instance is not even started using the --replSet rs0 command. Following link was followed for resetting the replset as it was suggested in some posts* (https://vitalflux.com/mongodb-how-to-reset-mongo-replica-set/)
and verified what ports mongo is listening in using db.serverCmdLineOpts() with output like this { "argv" : [ "mongod" ], "parsed" : { }, "ok" : 1 }
*https://serverfault.com/questions/424465/how-to-reset-mongodb-replica-set-settings/424714#424714
Mongoimport command used is:
mongoimport --host Cluster0-shard-0/cluster0-shard-00-00-1jypq.mongodb.net:27017,
cluster0-shard-00-01-1jypq.mongodb.net:27017,
cluster0-shard-00-02-1jypq.mongodb.net:27017 --ssl --username <username>
--password <password> --authenticationDatabase admin --db tutorial
--collection somedocs --type CSV --file retail.csv --headerline
The error message is as follows:
2019-05-10T13:22:32.509+0500 [........................] tutorial.somedocs 4.0 KB/42.4 MB (0.0%)
2019-05-10T13:22:32.860+0500 Failed: error connecting to db server: no reachable servers
2019-05-10T13:22:32.860+0500 imported 0 documents
At this point in time, i am really out of ideas, and i do not know how to proceed forward. Looking forward to your cooperation and valuable ideas in this regard.
Thanks,