Postgresql SSL/x509 with Nextcloud

Presently looking for a way to connect nextcloud to postgresql using SSL.

My current stack:

Apache/2.4.33

PHP 7.1.16 (fpm-fcgi)

Nextcloud 13.0.1

PostgreSQL 10.3

So from what I can see everything except nextcloud supports this functionality:

https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-PARAMKEYWORDS
(read sslmode,sslcert,sslkey,sslrootcert,sslcrl)


&& https://secure.php.net/manual/en/ref.pdo-pgsql.connection.php

https://docs.nextcloud.com/server/13/admin_manual/configuration_database/linux_database_configuration.html#parameters <<

Would it be possible to extend the configuration parameters necessary to
get ‘dbsslkey’, etc for config.php? I’d really like a pg_hba entry that looks like this:

hostssl nextcloud nextcloud 0.0.0.0/0 cert

Already working with my client (ex. - psql (10.3) SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384 )

Figured it out myself.

The config parameters are simply passed to the PDO DSN from the host string, so your nextcloud config would need something that looked like this:
‘dbhost’ => ‘127.0.0.1:5432;sslmode=verify-full;sslcert=~/.postgresql/postgresql.crt;sslkey=~/.postgresql/postgresql.key;sslrootcert=~/.postgresql/root.crt’

1 Like

Is 127.0.0.1 just an example or are you actually connecting to localhost with SSL?

Just a sanitized example. :slight_smile:

Hello,

Sorry for bumping this topic. I am trying to connect my Nextcloud instance to a manated postgresql 12 database in DigitalOcean. Connection is done only via SSL.

I follow the recommendation from above:

“dbhost” => “endpont:25060;sslmode=require;sslcert=/path/to/db_certificate.crt;”

but I always get server error with:

"## Internal Server Error

The server was unable to complete your request.

If this happens again, please send the technical details below to the server administrator.

More details can be found in the server log."

but the server does not create any errors in the instance. Not even after manually creating a nextcloud.log file and granting access to www-data.

I see in @kbaegis post there is a sslkey and sslrootcert but there is only CA file to download from the managed databases in digitalocean.

Does anyone know what am I doing wrong? Any ideas?

Thanks!