Skip to content

key cannot be loaded due to wrong format #1421

New issue
New issue
Open
Open
key cannot be loaded due to wrong format#1421
@rizary

Description

@rizary
rizary
opened on May 1, 2025

Hi, I have the following Dockerfile to generate the certs:

FROM golang:1.20-alpine AS builder

RUN set -x && \
    apk --no-cache add git gcc libc-dev make && \
    # Create postgres user without specific GID/UID
    addgroup postgres && \
    adduser -S -G postgres postgres

RUN go install github.com/cloudflare/cfssl/cmd/...@latest

WORKDIR /app
COPY docker/volumes/timescaledb/certs/csr_timescaledb.json /app/csr_timescaledb.json
COPY docker/volumes/timescaledb/certs/csr_client.json /app/csr_client.json
COPY docker/volumes/timescaledb/certs/cfssl-config.json /app/cfssl-config.json

# Create directories for certificates
RUN mkdir -p /output && \
    chown -R postgres:postgres /output

# Generate CA certificate
RUN cfssl gencert -initca /app/csr_timescaledb.json | cfssljson -bare ca

# Generate server certificate
RUN cfssl gencert \
    -ca ca.pem \
    -ca-key ca-key.pem \
    -config=/app/cfssl-config.json \
    /app/csr_timescaledb.json | cfssljson -bare server

# Generate client certificate
RUN cfssl gencert \
    -ca ca.pem \
    -ca-key ca-key.pem \
    -config=/app/cfssl-config.json \
    /app/csr_client.json | cfssljson -bare client

# Set proper permissions
RUN chmod 400 ca-key.pem server-key.pem client-key.pem && \
    chmod 644 ca.pem server.pem client.pem

# Copy all certificates to output directory
RUN cp ca.pem client.pem client-key.pem server.pem server-key.pem /output/ && \
    chmod 600 /output/client-key.pem /output/server-key.pem && \
    chmod 644 /output/ca.pem /output/client.pem /output/server.pem && \
    chown -R postgres:postgres /output

USER postgres
WORKDIR /app

CMD ["sh", "-c", "cp -v /output/* /certs-output/ && exit 0"]

compare to what I did with just openssl here: https://goteleport.com/blog/securing-postgres-postgresql/ I can make ssl to my postgres instance.

Did I do something wrong? or is there any reason why the format is wrong?

For more contex, I have put question in here: https://dba.stackexchange.com/questions/346355/running-postgresql-container-using-sslmode-verify-full-and-accessing-from-wsl-b?noredirect=1#comment672692_346355

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions