telegraf: postgresql sslmode error

Directions

GitHub Issues are reserved for actionable bug reports and feature requests. General questions should be asked at the InfluxData Community site.

Before opening an issue, search for similar bug reports or feature requests on GitHub Issues. If no similar issue can be found, fill out either the “Bug Report” or the “Feature Request” section below. Erase the other section and everything on and above this line.

Please note, the quickest way to fix a bug is to open a Pull Request.

Bug report

Relevant telegraf.conf:

# Telegraf Configuration

[global_tags]
[agent]
  interval = "10s"
  round_interval = true
  metric_batch_size = 1000
  metric_buffer_limit = 10000
  collection_jitter = "0s"
  flush_interval = "10s"
  flush_jitter = "0s"
  debug = false
  quiet = false
  omit_hostname = false

[[outputs.influxdb]]
  urls = ["https://influx:8086"] # required
  database = "telegraf" # required
  precision = "s"
  retention_policy = "default"
  write_consistency = "any"
  timeout = "5s"
  ssl_ca = "/etc/telegraf/cacert.pem" 

 [[inputs.postgresql_extensible]]
   address = "host=postgresql user=telegraf sslmode=require password=PASSWORD dbname=mydb"
    databases = ["mydb"]

   [[inputs.postgresql_extensible.query]]
     sqlquery="SELECT c.usename,c.query,s.ssl,s.version FROM pg_stat_activity c, pg_stat_ssl s where s.pid = c.pid and c.usename = 'telegraf' "
     version=901
     withdbname=false
     tagvalue=""
     measurement="Postgres_ssl"

System info:

Telegraf 1.3.1-1
Debian 8.3

Steps to reproduce:

  1. telegraf --config /etc/telegraf/telegraf.conf -test -input-filter postgresql_extensible

Expected behavior:

* Plugin: inputs.postgresql_extensible, Collection 1
> Postgres_ssl,server=host\=postgresql\ user\=telegraf\ dbname\=mydb,db=postgres,host=localhost ssl=true,version="TLSv1.2",usename="telegraf",query="SELECT c.usename,c.query,s.ssl,s.version FROM pg_stat_activity c, pg_stat_ssl s where s.pid = c.pid and c.usename = 'telegraf' " 1496711588000000000

Actual behavior:

* Plugin: inputs.postgresql_extensible, Collection 1
2017-06-06T01:11:12Z E! x509: certificate is valid for ip-172-90-90-90.us-west-2.compute.internal, not postgresql

Additional info:

If I change the sslmode to preferinstead of require, telegraf will connect.

And in Telegraf 1.2.1-1 the sslmode=require worked without problem. This problem happended today after upgraded it.

Use case: [Why is this important (helps with prioritizing requests)]

Maybe is a bug .

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Comments: 17 (12 by maintainers)

Most upvoted comments

@zargex I’m just pointing out why the behaviour change occurred.

you can file an issue with the driver, and I’ll be happy to update telegraf once its fixed there.

pgx calls out in its documentation that it currently doesn’t follow the libpq-ssl docs explicitly but leaves room to correct the behaviour in the future. So I suspect it’ll be fairly easy to request the behaviour change to match libpq-ssl. Given its been around for 2 years the use case for ‘require’ seems pretty rare in practice.

I’m personally not concerned enough about this particular regression to jump through hoops on telegraf’s side to address it for the following reasons:

  1. there is a workaround using prefer which is basically the same thing when the server supports ssl.
  2. it doesn’t compromise the security promises of the require setting.
+1
james-lawrence on Jun 9, 2017

i’ll take a peek sometime in the next couple weeks. the driver change probably triggered this.

+1
james-lawrence on Jun 9, 2017
Read more comments on GitHub
← telegraf: Permission denied in a middle of logrotate process
telegraf: postgresql_extensible.query cannot connect to pgbouncer →