[Camps-users] Pg with SSL

[Ethan Rowe]

Brian J. Miller wrote:
> I need to setup remote access to camp Pg DBs with SSL enabled. I can get
> the pg_hba.conf correct based on tokenized config files, and I can
> presumably do the same with the postgresql.conf to enable SSL itself.
> However I seemingly need to generate a server.key/server.crt pair during
> Pg initialization. I tried using the config file approach for this as
> well, but the files must be read only to the user/owner of the data
> directory which currently isn't possible because they have to have group
> read permissions to live in ~camp. Additionally I have a camp.key file
> in ~camp/<type>/etc but I don't know of a way to specify it in the Pg
> configuration, any one else know of one?
> 
> I can get to the desired configuration using:
> 
> openssl genrsa -out /home/<user>/campXX/pgsql/data/server.key 4096
> openssl req -new -x509 -days 3650 -key \
> /home/<user>/campXX/pgsql/data/server.key -out \
> /home/<user>/campXX/pgsql/data/server.crt
> 
> Similar to how we used to generate Apache SSL certs. Is the best
> approach to patch Camp/Master.pm to do this (optionally with a config
> flag) or is there a better approach?

It seems reasonable to me to add it to Camp::Master as part of Postgres
setup, and introduce a configuration variable to be potentially
specified in local-config for a camp type that would serve as a boolean
flag for this behavior.  Defaulting to not creating it, as is the
standard behavior, but letting the camp system admin(s) explicitly
activate it.

I wouldn't push it upstream until you had it in use for a few days and
were confident that it worked consistently.  :)

Thanks.
- Ethan
-- 
Ethan Rowe
End Point Corporation
ethan at endpoint.com