dincosman · April 28, 2024 21:51
diff --git a/enable_tls_on_pgbackrest b/enable_tls_on_pgbackrest
 [root@posbckp01 ~]# cd /etc/ssl/
 [root@posbckp01 ssl]# mkdir pgbackrest
 [root@posbckp01 ssl]# cd pgbackrest/
 [root@posbckp01 ~]# cat csr_details.txt 
  [ req ]
  default_bits = 2048
  default_md = sha256
  req_extensions = v3_req
  distinguished_name = dn
  prompt = no
  
  [ dn ]
  C = TR
  ST = Ankara
  L = Cankaya
  OU = BJKIT
  O = BJK
  CN = posbckp01.localdomain
  
  [ v3_req ]
  subjectAltName = @alt_names
  
  [ alt_names ]
  DNS.1 = posbckp01.localdomain
  IP.1 = 192.168.60.180
   
 [root@posbckp01 pgbackrest]# openssl req  -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/pgbackrest/server.key -config csr_details.txt -out /etc/ssl/pgbackrest/server.csr
  Generating a 2048 bit RSA private key
  ...............+++
  ............................................................+++
  writing new private key to '/etc/ssl/pgbackrest/server.key'
  -----
 [root@posbckp01 pgbackrest]# ls
  csr_details.txt  server.csr  server.key

 #-- We delivered our request server.csr to Certifcation Authority.
 #-- Certificate is signed by Certification Authority and returned to us as serverbckp.cer

 [root@posbckp01 pgbackrest]# ls
   root.cer  serverbckp.cer  serverbckp.key
 [root@posbckp01 pgbackrest]# mv serverbckp.cer serverbckp.crt
 [root@posbckp01 pgbackrest]# mv root.cer root.crt
 [root@posbckp01 ssl]# chown -R  pgbackrest:pgbackrest pgbackrest/
 [root@posbckp01 ssl]# cd pgbackrest/
 [root@posbckp01 pgbackrest]# ls
   root.crt  serverbckp.crt  serverbckp.key
 [root@posbckp01 pgbackrest]# chmod 600 ./*
 [root@posbckp01 pgbackrest]# ls
   root.crt  serverbckp.crt  serverbckp.key
 [root@posbckp01 pgbackrest]# ls -ls
   total 16
   8 -rw------- 1 pgbackrest pgbackrest 4542 May 10 14:00 root.crt
   4 -rw------- 1 pgbackrest pgbackrest 2266 May  5 15:38 serverbckp.crt
   4 -rw------- 1 pgbackrest pgbackrest 1704 May  5 13:58 serverbckp.key

 #-- Below is the sample backup configuration on pgbackrest repository server
 [root@posbckp01 pgbackrest]# vi /etc/pgbackrest/pgbackrest.conf
   [pgcluster]
   pg1-host=posvt01.localdomain
   pg1-path=/mnt/postgres/pgdata
   pg1-port=3531
   pg1-socket-path=/var/run/postgresql
   pg2-host=posvt02.localdomain
   pg2-path=/mnt/postgres/pgdata
   pg2-port=3531
   pg2-socket-path=/var/run/postgresql

   #tls client options
   pg1-host-type=tls
   pg1-host-user=postgres
   pg1-host-cert-file=/etc/ssl/pgbackrest/serverbckp.crt
   pg1-host-key-file=/etc/ssl/pgbackrest/serverbckp.key
   pg1-host-ca-file=/etc/ssl/pgbackrest/root.crt

   pg2-host-type=tls
   pg2-host-user=postgres
   pg2-host-cert-file=/etc/ssl/pgbackrest/serverbckp.crt
   pg2-host-key-file=/etc/ssl/pgbackrest/serverbckp.key
   pg2-host-ca-file=/etc/ssl/pgbackrest/root.crt

   [global]
   #backup-standby=y
   process-max=4
   repo1-path=/mnt/pgbackrest
   repo1-retention-full-type=time
   repo1-retention-full=28
   repo1-retention-diff=3
   log-level-file=detail
   log-level-console=info
   start-fast=y
   delta=y

   # tls server options
   tls-server-address=posbckp01.localdomain
   tls-server-cert-file=/etc/ssl/pgbackrest/serverbckp.crt
   tls-server-key-file=/etc/ssl/pgbackrest/serverbckp.key
   tls-server-ca-file=/etc/ssl/pgbackrest/root.crt
   tls-server-auth=posvt01.localdomain=pgcluster
   tls-server-auth=posvt02.localdomain=pgcluster
   tls-server-auth=pgcluster.localdomain=pgcluster

 #-- Below is the sample backup configuration on postgresql database servers. Do it in both nodes
 [root@posvt01 pgbackrest]# vi /etc/pgbackrest/pgbackrest.conf
   [pgcluster]
   pg1-path=/mnt/postgres/pgdata
   pg1-port=3531
   pg1-socket-path=/var/run/postgresql

   [global]
   archive-async=y
   archive-push-queue-max=48GB
   log-level-file=detail
   log-level-console=info
   spool-path=/var/spool/pgbackrest
   repo1-host=posbckp01.localdomain
   repo1-path=/mnt/pgbackrest
   process-max=4
   delta=y
   repo1-host-type=tls
   repo1-host-cert-file=/etc/ssl/postgres/server.crt
   repo1-host-key-file=/etc/ssl/postgres/server.key
   repo1-host-ca-file=/etc/ssl/postgres/root.crt

   # tls server options
   tls-server-address=posvt01.localdomain
   tls-server-cert-file=/etc/ssl/postgres/server.crt
   tls-server-key-file=/etc/ssl/postgres/server.key
   tls-server-ca-file=/etc/ssl/postgres/root.crt
   tls-server-auth=posbckp01.localdomain=pgcluster
 	
 #-- Turning pgbackrest to a service and enable it on across reboots
 [root@posbckp01 pgbackrest]# vi /etc/systemd/system/pgbackrest.service
   [Unit]
   Description=pgBackRest Server
   After=network.target
   StartLimitIntervalSec=0

   [Service]
   Type=simple
   User=pgbackrest
   Restart=always
   RestartSec=1
   ExecStart=/usr/bin/pgbackrest server
   ExecReload=kill -HUP $MAINPID

   [Install]
   WantedBy=multi-user.target

 #-- Turning pgbackrest to a service and enable it on across reboots on postgresql database servers. -- Do it on both nodes
 [root@posvt01 pgbackrest]# vi /etc/systemd/system/pgbackrest.service
   [Unit]
   Description=pgBackRest Server
   After=network.target
   StartLimitIntervalSec=0

   [Service]
   Type=simple
   User=postgres
   Restart=always
   RestartSec=1
   ExecStart=/usr/bin/pgbackrest server
   ExecReload=kill -HUP $MAINPID

   [Install]
   WantedBy=multi-user.target

 [root@posvt01 pgbackrest]# systemctl daemon-reload
 [root@posvt01 pgbackrest]# systemctl enable pgbackrest
 [root@posvt01 pgbackrest]# systemctl start pgbackrest
 [root@posvt01 pgbackrest]# pgbackrest server-ping

 [root@posbckp01 pgbackrest]# systemctl daemon-reload
 [root@posbckp01 pgbackrest]# systemctl enable pgbackrest
 [root@posbckp01 pgbackrest]# systemctl start pgbackrest

 #-- Test connection
 [root@posbckp01 pgbackrest]# pgbackrest server-ping

 #-- Check stanza
 [postgres@posvt01 ~]$  pgbackrest --stanza=pgcluster check
	[root@posbckp01 ~]# cd /etc/ssl/
	[root@posbckp01 ssl]# mkdir pgbackrest
	[root@posbckp01 ssl]# cd pgbackrest/
	[root@posbckp01 ~]# cat csr_details.txt
	[ req ]
	default_bits = 2048
	default_md = sha256
	req_extensions = v3_req
	distinguished_name = dn
	prompt = no

	[ dn ]
	C = TR
	ST = Ankara
	L = Cankaya
	OU = BJKIT
	O = BJK
	CN = posbckp01.localdomain

	[ v3_req ]
	subjectAltName = @alt_names

	[ alt_names ]
	DNS.1 = posbckp01.localdomain
	IP.1 = 192.168.60.180

	[root@posbckp01 pgbackrest]# openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/pgbackrest/server.key -config csr_details.txt -out /etc/ssl/pgbackrest/server.csr
	Generating a 2048 bit RSA private key
	...............+++
	............................................................+++
	writing new private key to '/etc/ssl/pgbackrest/server.key'
	-----
	[root@posbckp01 pgbackrest]# ls
	csr_details.txt server.csr server.key

	#-- We delivered our request server.csr to Certifcation Authority.
	#-- Certificate is signed by Certification Authority and returned to us as serverbckp.cer

	[root@posbckp01 pgbackrest]# ls
	root.cer serverbckp.cer serverbckp.key
	[root@posbckp01 pgbackrest]# mv serverbckp.cer serverbckp.crt
	[root@posbckp01 pgbackrest]# mv root.cer root.crt
	[root@posbckp01 ssl]# chown -R pgbackrest:pgbackrest pgbackrest/
	[root@posbckp01 ssl]# cd pgbackrest/
	[root@posbckp01 pgbackrest]# ls
	root.crt serverbckp.crt serverbckp.key
	[root@posbckp01 pgbackrest]# chmod 600 ./*
	[root@posbckp01 pgbackrest]# ls
	root.crt serverbckp.crt serverbckp.key
	[root@posbckp01 pgbackrest]# ls -ls
	total 16
	8 -rw------- 1 pgbackrest pgbackrest 4542 May 10 14:00 root.crt
	4 -rw------- 1 pgbackrest pgbackrest 2266 May 5 15:38 serverbckp.crt
	4 -rw------- 1 pgbackrest pgbackrest 1704 May 5 13:58 serverbckp.key

	#-- Below is the sample backup configuration on pgbackrest repository server
	[root@posbckp01 pgbackrest]# vi /etc/pgbackrest/pgbackrest.conf
	[pgcluster]
	pg1-host=posvt01.localdomain
	pg1-path=/mnt/postgres/pgdata
	pg1-port=3531
	pg1-socket-path=/var/run/postgresql
	pg2-host=posvt02.localdomain
	pg2-path=/mnt/postgres/pgdata
	pg2-port=3531
	pg2-socket-path=/var/run/postgresql

	#tls client options
	pg1-host-type=tls
	pg1-host-user=postgres
	pg1-host-cert-file=/etc/ssl/pgbackrest/serverbckp.crt
	pg1-host-key-file=/etc/ssl/pgbackrest/serverbckp.key
	pg1-host-ca-file=/etc/ssl/pgbackrest/root.crt

	pg2-host-type=tls
	pg2-host-user=postgres
	pg2-host-cert-file=/etc/ssl/pgbackrest/serverbckp.crt
	pg2-host-key-file=/etc/ssl/pgbackrest/serverbckp.key
	pg2-host-ca-file=/etc/ssl/pgbackrest/root.crt

	[global]
	#backup-standby=y
	process-max=4
	repo1-path=/mnt/pgbackrest
	repo1-retention-full-type=time
	repo1-retention-full=28
	repo1-retention-diff=3
	log-level-file=detail
	log-level-console=info
	start-fast=y
	delta=y

	# tls server options
	tls-server-address=posbckp01.localdomain
	tls-server-cert-file=/etc/ssl/pgbackrest/serverbckp.crt
	tls-server-key-file=/etc/ssl/pgbackrest/serverbckp.key
	tls-server-ca-file=/etc/ssl/pgbackrest/root.crt
	tls-server-auth=posvt01.localdomain=pgcluster
	tls-server-auth=posvt02.localdomain=pgcluster
	tls-server-auth=pgcluster.localdomain=pgcluster

	#-- Below is the sample backup configuration on postgresql database servers. Do it in both nodes
	[root@posvt01 pgbackrest]# vi /etc/pgbackrest/pgbackrest.conf
	[pgcluster]
	pg1-path=/mnt/postgres/pgdata
	pg1-port=3531
	pg1-socket-path=/var/run/postgresql

	[global]
	archive-async=y
	archive-push-queue-max=48GB
	log-level-file=detail
	log-level-console=info
	spool-path=/var/spool/pgbackrest
	repo1-host=posbckp01.localdomain
	repo1-path=/mnt/pgbackrest
	process-max=4
	delta=y
	repo1-host-type=tls
	repo1-host-cert-file=/etc/ssl/postgres/server.crt
	repo1-host-key-file=/etc/ssl/postgres/server.key
	repo1-host-ca-file=/etc/ssl/postgres/root.crt

	# tls server options
	tls-server-address=posvt01.localdomain
	tls-server-cert-file=/etc/ssl/postgres/server.crt
	tls-server-key-file=/etc/ssl/postgres/server.key
	tls-server-ca-file=/etc/ssl/postgres/root.crt
	tls-server-auth=posbckp01.localdomain=pgcluster

	#-- Turning pgbackrest to a service and enable it on across reboots
	[root@posbckp01 pgbackrest]# vi /etc/systemd/system/pgbackrest.service
	[Unit]
	Description=pgBackRest Server
	After=network.target
	StartLimitIntervalSec=0

	[Service]
	Type=simple
	User=pgbackrest
	Restart=always
	RestartSec=1
	ExecStart=/usr/bin/pgbackrest server
	ExecReload=kill -HUP $MAINPID

	[Install]
	WantedBy=multi-user.target

	#-- Turning pgbackrest to a service and enable it on across reboots on postgresql database servers. -- Do it on both nodes
	[root@posvt01 pgbackrest]# vi /etc/systemd/system/pgbackrest.service
	[Unit]
	Description=pgBackRest Server
	After=network.target
	StartLimitIntervalSec=0

	[Service]
	Type=simple
	User=postgres
	Restart=always
	RestartSec=1
	ExecStart=/usr/bin/pgbackrest server
	ExecReload=kill -HUP $MAINPID

	[Install]
	WantedBy=multi-user.target

	[root@posvt01 pgbackrest]# systemctl daemon-reload
	[root@posvt01 pgbackrest]# systemctl enable pgbackrest
	[root@posvt01 pgbackrest]# systemctl start pgbackrest
	[root@posvt01 pgbackrest]# pgbackrest server-ping

	[root@posbckp01 pgbackrest]# systemctl daemon-reload
	[root@posbckp01 pgbackrest]# systemctl enable pgbackrest
	[root@posbckp01 pgbackrest]# systemctl start pgbackrest

	#-- Test connection
	[root@posbckp01 pgbackrest]# pgbackrest server-ping

	#-- Check stanza
	[postgres@posvt01 ~]$ pgbackrest --stanza=pgcluster check