patternsqlMinor
Why would I download CA certificate when starting a managed Postgres cluster on DigitalOcean?
Viewed 0 times
managedcertificatewhystartingpostgresdigitaloceanwouldwhendownloadcluster
Problem
I am trying for the first time a Postgres cluster provided as a managed service by DigitalOcean.com.
As part of configuring the new cluster, their web interface gives me a user name, password, port number and such. On that web page is a tiny link saying
➥ Why would I use or not use that link to download the certificate?
When I click the link, I end up with a file on my machine named
As part of configuring the new cluster, their web interface gives me a user name, password, port number and such. On that web page is a tiny link saying
Download the CA certificate. I assume CA means Certificate Authority.➥ Why would I use or not use that link to download the certificate?
When I click the link, I end up with a file on my machine named
ca-certificate.crt. How would I use this file?Solution
To elaborate on Laurenz's answer, if someone can intercept your internet traffic intended for Digital Ocean they could set up a malicious PostgreSQL server that you would connect to unwittingly and then they could record your queries, results, and probably even your password.
Using verify-full is a way to make sure the server you are actually connected to has access to a cert (and the corresponding key) which has been issued by the CA to the hostname which you specified for the connection. So unless the man-in-the-middle either compromised the actual CA, or tricked you into installing a malicious CA cert, he can't pull this trick anymore.
Even if you are not particularly concerned about a MITM, you should download the cert (over https!) and install and configure it to be used, as a learning experience if nothing else. You can probably test it by specifying the IP address rather than the hostname in your connection string, and it should be blocked as the IP address is (probably) not in the server's cert.
Using verify-full is a way to make sure the server you are actually connected to has access to a cert (and the corresponding key) which has been issued by the CA to the hostname which you specified for the connection. So unless the man-in-the-middle either compromised the actual CA, or tricked you into installing a malicious CA cert, he can't pull this trick anymore.
Even if you are not particularly concerned about a MITM, you should download the cert (over https!) and install and configure it to be used, as a learning experience if nothing else. You can probably test it by specifying the IP address rather than the hostname in your connection string, and it should be blocked as the IP address is (probably) not in the server's cert.
Context
StackExchange Database Administrators Q#270706, answer score: 5
Revisions (0)
No revisions yet.