Skip to content

Allow passing ssl_cert_data, ssl_key_dadta and ssl_root_cert_data#10

Merged
brmzkw merged 3 commits into
mainfrom
jcastets/certs-data
May 8, 2026
Merged

Allow passing ssl_cert_data, ssl_key_dadta and ssl_root_cert_data#10
brmzkw merged 3 commits into
mainfrom
jcastets/certs-data

Conversation

@brmzkw
Copy link
Copy Markdown
Collaborator

@brmzkw brmzkw commented May 8, 2026

Each ssl_* file parameter now has a *_data counterpart that accepts the raw PEM content directly. When set, the content is written to a temporary file which is passed to the PostgreSQL tools via the existing env vars (PGSSLCERT, PGSSLKEY, PGSSLROOTCERT). Temp files are removed when the connector is closed.

To test, start a postgresql container:

#!/bin/sh
set -eu

CERTDIR="$(pwd)/certs"
INITDIR="$(pwd)/docker-entrypoint-initdb.d"

rm -rf "$CERTDIR" "$INITDIR"
mkdir -p "$CERTDIR" "$INITDIR"

# CA
openssl req -new -x509 -days 365 -nodes \
  -subj "/CN=test-ca" \
  -keyout "$CERTDIR/ca.key" \
  -out "$CERTDIR/ca.crt"

# Server cert. CN must match hostname used by clients.
openssl req -newkey rsa:2048 -nodes \
  -subj "/CN=localhost" \
  -keyout "$CERTDIR/server.key" \
  -out "$CERTDIR/server.csr"

openssl x509 -req -days 365 \
  -in "$CERTDIR/server.csr" \
  -CA "$CERTDIR/ca.crt" \
  -CAkey "$CERTDIR/ca.key" \
  -CAcreateserial \
  -out "$CERTDIR/server.crt"

# Client cert. CN must match PostgreSQL user.
openssl req -newkey rsa:2048 -nodes \
  -subj "/CN=postgres" \
  -keyout "$CERTDIR/client.key" \
  -out "$CERTDIR/client.csr"

openssl x509 -req -days 365 \
  -in "$CERTDIR/client.csr" \
  -CA "$CERTDIR/ca.crt" \
  -CAkey "$CERTDIR/ca.key" \
  -CAcreateserial \
  -out "$CERTDIR/client.crt"

chmod 600 "$CERTDIR"/*.key

cat > "$INITDIR/001-enable-mtls.sh" <<'EOF'
#!/bin/sh
set -eu

cat >> "$PGDATA/postgresql.conf" <<CONF
ssl = on
ssl_ca_file = '/certs/ca.crt'
ssl_cert_file = '/certs/server.crt'
ssl_key_file = '/certs/server.key'
CONF

cat > "$PGDATA/pg_hba.conf" <<CONF
# Require TLS + valid client certificate.
hostssl all all all cert clientcert=verify-full

# Reject non-TLS connections.
hostnossl all all all reject
CONF
EOF

chmod +x "$INITDIR/001-enable-mtls.sh"

docker run --rm -ti \
  --name test \
  -p 9999:5432 \
  -e POSTGRES_PASSWORD=postgres \
  -v "$CERTDIR:/certs:ro" \
  -v "$INITDIR:/docker-entrypoint-initdb.d:ro" \
  postgres:17

Do a backup with the _data*:

plakar -stdio at ./toto backup -o ssl_root_cert_data="$(cat ./certs/ca.crt)" -o ssl_cert_data="$(cat certs/client.crt)" -o ssl_key_data="$(cat certs/client.key)" postgres://postgres:postgres@localhost:9999

Or with the files:

plakar -stdio at ./toto backup -o ssl_root_cert=certs/ca.crt -o ssl_cert=certs/client.crt -o ssl_key=certs/client.key postgres://postgres:postgres@localhost:9999

brmzkw and others added 3 commits May 8, 2026 11:54
@brmzkw
Gitignore vendor
73c80cd
@brmzkw @claude
pgconn: add inline SSL content options (ssl_cert_data, ssl_key_data, …
6ad4226 
…ssl_root_cert_data)

Each ssl_* file parameter now has a *_data counterpart that accepts the raw
PEM content directly. When set, the content is written to a temporary file
which is passed to the PostgreSQL tools via the existing env vars (PGSSLCERT,
PGSSLKEY, PGSSLROOTCERT). Temp files are removed when the connector is closed.

Path and inline variants are mutually exclusive; specifying both is an error.
All three connectors (importer, exporter, binimporter) call conn.Cleanup() in
their Close() method. Logic is entirely in pgconn so no connector duplicates it.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@brmzkw @claude
docs: simplify ssl_*_data parameter descriptions
b92bbfe 
Remove mentions of mutual exclusivity and temp file implementation details
from schema descriptions, README, and man page. The _data variants are now
described simply as alternatives to the corresponding path parameters.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@brmzkw brmzkw force-pushed the jcastets/certs-data branch from c46311f to b92bbfe Compare May 8, 2026 10:56
@brmzkw brmzkw merged commit 64ee042 into main May 8, 2026
2 checks passed
@brmzkw brmzkw deleted the jcastets/certs-data branch May 8, 2026 11:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@glemmaPaul glemmaPaul glemmaPaul approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@brmzkw @glemmaPaul