Error trying to connect to Postgres

Hi, i’m trying to run kong migrations on Postgres using this docker container (kong:latest):

https://hub.docker.com/_/kong

I’ve a docker-compose.yml with:

kong-migration:
image: kong:latest
command: kong migrations up --v
restart: on-failure
environment:
KONG_DATABASE: “postgres”
KONG_PG_HOST: “my_remote_server”
KONG_PG_DATABASE: “kong”
KONG_PG_USER: “my_username”
KONG_PG_PASSWORD: “my_password”
KONG_PG_SSL: “on”
KONG_PG_SSL_VERIFY: “on”

When i run it, i get the following:

$ docker-compose up
Recreating docker_kong-migration_1 … done
Attaching to docker_kong-migration_1
kong-migration_1 | 2021/02/04 13:19:52 [verbose] Kong: 2.3.1
kong-migration_1 | Error:
kong-migration_1 | /usr/local/share/lua/5.1/kong/cmd/migrations.lua:98: [PostgreSQL error] failed to retrieve PostgreSQL server_version_num: closed
kong-migration_1 | stack traceback:
kong-migration_1 | [C]: in function ‘assert’
kong-migration_1 | /usr/local/share/lua/5.1/kong/cmd/migrations.lua:98: in function ‘cmd_exec’
kong-migration_1 | /usr/local/share/lua/5.1/kong/cmd/init.lua:88: in function </usr/local/share/lua/5.1/kong/cmd/init.lua:88>
kong-migration_1 | [C]: in function ‘xpcall’
kong-migration_1 | /usr/local/share/lua/5.1/kong/cmd/init.lua:88: in function </usr/local/share/lua/5.1/kong/cmd/init.lua:45>
kong-migration_1 | /usr/local/bin/kong:9: in function ‘file_gen’
kong-migration_1 | init_worker_by_lua:48: in function <init_worker_by_lua:46>
kong-migration_1 | [C]: in function ‘xpcall’
kong-migration_1 | init_worker_by_lua:55: in function <init_worker_by_lua:53>
kong-migration_1 | 2021/02/04 13:19:52 [verbose] no config file found at /etc/kong/kong.conf
kong-migration_1 | 2021/02/04 13:19:52 [verbose] no config file found at /etc/kong.conf
kong-migration_1 | 2021/02/04 13:19:52 [verbose] no config file, skip loading
kong-migration_1 | 2021/02/04 13:19:52 [verbose] prefix in use: /usr/local/kong
kong-migration_1 | 2021/02/04 13:19:52 [verbose] preparing nginx prefix directory at /usr/local/kong
kong-migration_1 | 2021/02/04 13:19:52 [verbose] SSL enabled on
kong-migration_1 | 2021/02/04 13:19:52 [verbose] generating /usr/local/kong/ssl/kong-default.crt SSL certificate (
kong-migration_1 | 2021/02/04 13:19:52 [verbose] generating /usr/local/kong/ssl/kong-default-ecdsa.crt SSL certificate (
kong-migration_1 | 2021/02/04 13:19:52 [verbose] SSL enabled on
kong-migration_1 | 2021/02/04 13:19:52 [verbose] generating /usr/local/kong/ssl/admin-kong-default.crt SSL certificate (
kong-migration_1 | 2021/02/04 13:19:52 [verbose] generating /usr/local/kong/ssl/admin-kong-default-ecdsa.crt SSL certificate (
kong-migration_1 | 2021/02/04 13:19:52 [verbose] generating ffdhe2048 DH parameters

That is, it says:

[PostgreSQL error] failed to retrieve PostgreSQL server_version_num: closed

The systems and versions i’m using:

OS: Windows 10
Docker: 20.10.2, build 2291f61
PostgreSQL: 12.5
Kong: 2.3.1

Anyone can help me on that?

Thanks!

Make sure the PostgreSQL is up before using it. PostgreSQL might not yet be ready to accept connections if you start Kong right after it.

Hi xguru, thank you by your answer.

The PostgreSQL is running on Azure Database for PostgreSQL flexible server (https://docs.microsoft.com/en-us/azure/postgresql/flexible-server/) and it’s up all the time, not just when the kong container is started.

I think the problem is something related with the TLS connection because on this page: https://docs.microsoft.com/en-us/azure/postgresql/flexible-server/how-to-connect-tls-ssl

It says:

In some cases, applications require a local certificate file generated from a trusted Certificate Authority (CA) certificate file to connect securely. Azure Database for PostgreSQL - Flexible Server uses DigiCert Global Root CA . Download this certificate needed to communicate over SSL from DigiCert Global Root CA and save the certificate file to your preferred location. For example, this tutorial uses c:\ssl .

I wasn’t able to connect succesfuly on PostgreSQL if i wasn’t using this DigiCertGlobalRootCA.crt.pem on DBeaver and pgAdmin clients, but now, i removed the connections and recreated them and from DBeaver i even hadn’t to turn SSL on and worked. In pgAdmin, just worked with SSL enabled, but it wasn’t necessary to specify the .pem file.

I did some modifies on my docker-compose.yml, creating a volume, puting the .pem file there and trying to load it using the LUA_SSL_TRUSTED_CERTIFICATE property:

kong-migration:
  image: kong:latest
  command: kong migrations up --v
  restart: on-failure
  volumes:
    - "C:/certificatePostgreSQL:/certificates:rw"
  environment:
    KONG_DATABASE: "postgres"
    KONG_PG_HOST: "my_remote_host"
    KONG_PG_DATABASE: "kong"
    KONG_PG_USER: "my_user"
    KONG_PG_PASSWORD: "my_password"
    KONG_PG_SSL: "on"
    KONG_PG_SSL_VERIFY: "on"
    LUA_SSL_TRUSTED_CERTIFICATE: "/certificates/DigiCertGlobalRootCA.crt.pem"

But it throws the same error: [PostgreSQL error] failed to retrieve PostgreSQL server_version_num: closed

I read on these post:

https://github.com/Kong/kong/issues/5921

That it’s something related with the TLS version. The guy with the same error message i have said:

Kong doesn’t work with TLSv1.2. It works in PostgreSQL 12 when it removes the enforcing minimum TLSv1.2 parameter on postgres.

ssl_min_protocol_version = 'TLSv1.2'

This is an important situation for remote databases. maybe you can add it to your plans for future analysis.

I didn’t understand it very well, but, looks like the guy is telling the minimun TLS version that PostgreSQL works with (1.2), Kong doesn’t support, but, i’m not able to configure the PostgreSQL to accept TLS version bellow 1.2.

Or, maybe, it’s some other thing i am not able to figure out.

Any sugestion i apreciate.

I changed the Postgres version to 10.0 and i’m receiving this error now:

/usr/local/share/lua/5.1/kong/cmd/migrations.lua:98: [PostgreSQL error] failed to retrieve PostgreSQL server_version_num: sslv3 alert handshake failure

I searched for this and all the question about it didn’t have any answer/solution.
Anyone can help on that?

Thanks!

I took a look in Wireshark and it says Kong is trying to use TLSv1:

wireshark - kong - tls version

But my Postgres just works with TLSv1.2.
I can’t modify the Postgres server configuration to accept TLSv1, so, is there a way to make Kong use TLSv1.2? I’m using docker to run Kong 2.3.1.

Thanks!

Hi @sfdebug, thanks for the reporting.
It has been fixed in Kong 2.4 release
See more detailed here: fix(postgres) support connecting to Postgres >= 12 by disabling SSL/TLS < 1.2 by dndx · Pull Request #7005 · Kong/kong · GitHub


© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ