Last active
April 28, 2024 21:51
-
-
Save dincosman/d1c08ece47b4c6bf9375439890ea4114 to your computer and use it in GitHub Desktop.
Configure TLS on pgbackrest repo server and postgresql databases
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[root@posbckp01 ~]# cd /etc/ssl/ | |
[root@posbckp01 ssl]# mkdir pgbackrest | |
[root@posbckp01 ssl]# cd pgbackrest/ | |
[root@posbckp01 ~]# cat csr_details.txt | |
[ req ] | |
default_bits = 2048 | |
default_md = sha256 | |
req_extensions = v3_req | |
distinguished_name = dn | |
prompt = no | |
[ dn ] | |
C = TR | |
ST = Ankara | |
L = Cankaya | |
OU = BJKIT | |
O = BJK | |
CN = posbckp01.localdomain | |
[ v3_req ] | |
subjectAltName = @alt_names | |
[ alt_names ] | |
DNS.1 = posbckp01.localdomain | |
IP.1 = 192.168.60.180 | |
[root@posbckp01 pgbackrest]# openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/pgbackrest/server.key -config csr_details.txt -out /etc/ssl/pgbackrest/server.csr | |
Generating a 2048 bit RSA private key | |
...............+++ | |
............................................................+++ | |
writing new private key to '/etc/ssl/pgbackrest/server.key' | |
----- | |
[root@posbckp01 pgbackrest]# ls | |
csr_details.txt server.csr server.key | |
#-- We delivered our request server.csr to Certifcation Authority. | |
#-- Certificate is signed by Certification Authority and returned to us as serverbckp.cer | |
[root@posbckp01 pgbackrest]# ls | |
root.cer serverbckp.cer serverbckp.key | |
[root@posbckp01 pgbackrest]# mv serverbckp.cer serverbckp.crt | |
[root@posbckp01 pgbackrest]# mv root.cer root.crt | |
[root@posbckp01 ssl]# chown -R pgbackrest:pgbackrest pgbackrest/ | |
[root@posbckp01 ssl]# cd pgbackrest/ | |
[root@posbckp01 pgbackrest]# ls | |
root.crt serverbckp.crt serverbckp.key | |
[root@posbckp01 pgbackrest]# chmod 600 ./* | |
[root@posbckp01 pgbackrest]# ls | |
root.crt serverbckp.crt serverbckp.key | |
[root@posbckp01 pgbackrest]# ls -ls | |
total 16 | |
8 -rw------- 1 pgbackrest pgbackrest 4542 May 10 14:00 root.crt | |
4 -rw------- 1 pgbackrest pgbackrest 2266 May 5 15:38 serverbckp.crt | |
4 -rw------- 1 pgbackrest pgbackrest 1704 May 5 13:58 serverbckp.key | |
#-- Below is the sample backup configuration on pgbackrest repository server | |
[root@posbckp01 pgbackrest]# vi /etc/pgbackrest/pgbackrest.conf | |
[pgcluster] | |
pg1-host=posvt01.localdomain | |
pg1-path=/mnt/postgres/pgdata | |
pg1-port=3531 | |
pg1-socket-path=/var/run/postgresql | |
pg2-host=posvt02.localdomain | |
pg2-path=/mnt/postgres/pgdata | |
pg2-port=3531 | |
pg2-socket-path=/var/run/postgresql | |
#tls client options | |
pg1-host-type=tls | |
pg1-host-user=postgres | |
pg1-host-cert-file=/etc/ssl/pgbackrest/serverbckp.crt | |
pg1-host-key-file=/etc/ssl/pgbackrest/serverbckp.key | |
pg1-host-ca-file=/etc/ssl/pgbackrest/root.crt | |
pg2-host-type=tls | |
pg2-host-user=postgres | |
pg2-host-cert-file=/etc/ssl/pgbackrest/serverbckp.crt | |
pg2-host-key-file=/etc/ssl/pgbackrest/serverbckp.key | |
pg2-host-ca-file=/etc/ssl/pgbackrest/root.crt | |
[global] | |
#backup-standby=y | |
process-max=4 | |
repo1-path=/mnt/pgbackrest | |
repo1-retention-full-type=time | |
repo1-retention-full=28 | |
repo1-retention-diff=3 | |
log-level-file=detail | |
log-level-console=info | |
start-fast=y | |
delta=y | |
# tls server options | |
tls-server-address=posbckp01.localdomain | |
tls-server-cert-file=/etc/ssl/pgbackrest/serverbckp.crt | |
tls-server-key-file=/etc/ssl/pgbackrest/serverbckp.key | |
tls-server-ca-file=/etc/ssl/pgbackrest/root.crt | |
tls-server-auth=posvt01.localdomain=pgcluster | |
tls-server-auth=posvt02.localdomain=pgcluster | |
tls-server-auth=pgcluster.localdomain=pgcluster | |
#-- Below is the sample backup configuration on postgresql database servers. Do it in both nodes | |
[root@posvt01 pgbackrest]# vi /etc/pgbackrest/pgbackrest.conf | |
[pgcluster] | |
pg1-path=/mnt/postgres/pgdata | |
pg1-port=3531 | |
pg1-socket-path=/var/run/postgresql | |
[global] | |
archive-async=y | |
archive-push-queue-max=48GB | |
log-level-file=detail | |
log-level-console=info | |
spool-path=/var/spool/pgbackrest | |
repo1-host=posbckp01.localdomain | |
repo1-path=/mnt/pgbackrest | |
process-max=4 | |
delta=y | |
repo1-host-type=tls | |
repo1-host-cert-file=/etc/ssl/postgres/server.crt | |
repo1-host-key-file=/etc/ssl/postgres/server.key | |
repo1-host-ca-file=/etc/ssl/postgres/root.crt | |
# tls server options | |
tls-server-address=posvt01.localdomain | |
tls-server-cert-file=/etc/ssl/postgres/server.crt | |
tls-server-key-file=/etc/ssl/postgres/server.key | |
tls-server-ca-file=/etc/ssl/postgres/root.crt | |
tls-server-auth=posbckp01.localdomain=pgcluster | |
#-- Turning pgbackrest to a service and enable it on across reboots | |
[root@posbckp01 pgbackrest]# vi /etc/systemd/system/pgbackrest.service | |
[Unit] | |
Description=pgBackRest Server | |
After=network.target | |
StartLimitIntervalSec=0 | |
[Service] | |
Type=simple | |
User=pgbackrest | |
Restart=always | |
RestartSec=1 | |
ExecStart=/usr/bin/pgbackrest server | |
ExecReload=kill -HUP $MAINPID | |
[Install] | |
WantedBy=multi-user.target | |
#-- Turning pgbackrest to a service and enable it on across reboots on postgresql database servers. -- Do it on both nodes | |
[root@posvt01 pgbackrest]# vi /etc/systemd/system/pgbackrest.service | |
[Unit] | |
Description=pgBackRest Server | |
After=network.target | |
StartLimitIntervalSec=0 | |
[Service] | |
Type=simple | |
User=postgres | |
Restart=always | |
RestartSec=1 | |
ExecStart=/usr/bin/pgbackrest server | |
ExecReload=kill -HUP $MAINPID | |
[Install] | |
WantedBy=multi-user.target | |
[root@posvt01 pgbackrest]# systemctl daemon-reload | |
[root@posvt01 pgbackrest]# systemctl enable pgbackrest | |
[root@posvt01 pgbackrest]# systemctl start pgbackrest | |
[root@posvt01 pgbackrest]# pgbackrest server-ping | |
[root@posbckp01 pgbackrest]# systemctl daemon-reload | |
[root@posbckp01 pgbackrest]# systemctl enable pgbackrest | |
[root@posbckp01 pgbackrest]# systemctl start pgbackrest | |
#-- Test connection | |
[root@posbckp01 pgbackrest]# pgbackrest server-ping | |
#-- Check stanza | |
[postgres@posvt01 ~]$ pgbackrest --stanza=pgcluster check |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment